Posts Tagged ‘Step by Step’

 

In this post I will try to demonstrate how to build a HyperV Csv Cluster in simple and easy steps

 

Make sure of the normal things needed

  • You are using windows Ent. or datacenter (failover cluster not supported on standard or web )
  • A shared storage between the Hosts (with the same drive letter )
  • You name the network cards the same
  • you have the necessary hardware (specially NIC this can be ok in a lab but in production you have to make sure you have
  • One NIC for Machine access (OR More )
  • One for cluster Heartbeat
  • One for CSV and one for live migration ( both can be the same based on your setup )
  • One for Iscsi (this is a MUST )

Limitations for using Hyper-V and Failover Clustering

Specific limitations for using Hyper-V and the failover clustering feature are outlined below:

  • A maximum number of 16 nodes in the failover cluster are allowed.
  • You can have a maximum number of 1000 virtual machines per cluster for server computer virtualization, with a maximum of 384 on any one node. When Hyper-V is used in conjunction with Virtual Desktop Infrastructure (VDI) for client computer virtualization, you can have a maximum of 1000 VDI (Windows XP/Windows Vista®/Windows® 7) virtual machines per cluster, with a maximum of 384 on any one node.
  • The number of virtual machines allowed for each node does not change regardless of the size of the cluster.

 

Hyper-V Role Installation

We start by deploying the HyperV role as you normally would

clip_image002

Select the HyperV Role

clip_image004

clip_image006

Next step installing the failover cluster

To install the failover cluster feature on a Server Core installation, run the following command:

Start /w ocsetup FailoverCluster-Core

To install the failover cluster feature on a full installation of Windows Server 2008 R2

1. If you recently installed Windows Server 2008 R2, the Initial Configuration Tasks interface is displayed. Under Customize This Server, click Add features. Then skip to step 3.

2. If the Initial Configuration Tasks interface is not displayed and Server Manager is not running, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)

In Server Manager, under Features Summary, click Add Features.

3. In the Add Features Wizard, click Failover Clustering, and then click Install.

4. Follow the instructions in the wizard to complete the installation of the feature. When the wizard finishes, close it.

5. Repeat the process for each server that you want to include in the cluster.

clip_image008

clip_image010

clip_image012

 
Create a virtual network

You will need to perform this step on both physical computers if you did not create the virtual network when you installed the Hyper-V role. This virtual network provides the highly available virtual machine with access to the physical network.

To create a virtual network

1. Open Hyper-V Manager.

2. From the Actions menu, click Virtual Network Manager.

3. Under Create virtual network, select External.

4. Click Add. The New Virtual Network page appears.

5. Type a name for the new network. Make sure you use exactly the same name on all servers running Hyper-V.

6. Under Connection Type, click External and then select the physical network adapter.

7. Click OK to save the virtual network and close Virtual Network Manager.

clip_image014

clip_image016

 
Create the cluster

To create a cluster, you run the Create Cluster wizard.

To run the Create Cluster wizard

1. To open the failover cluster snap-in, click Start, click Administrative Tools, and then click Failover Cluster Management. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)

2. Confirm that Failover Cluster Manager is selected and then, in the center pane under Management, click Create a cluster.

Follow the instructions in the wizard to specify:

· The servers to include in the cluster.

· The name of the cluster.

· Any IP address information that is not automatically supplied by your Dynamic Host Configuration Protocol (DHCP) settings.

3. After the wizard runs and the Summary page appears, to view a report of the tasks the wizard performed, click View Report.

To view the report after you close the wizard, see SystemRootClusterReports where SystemRoot is the folder in which the operating system is installed (for example, C:Windows).

 

 

I always create a cluster with a single node first just to make sure everything OK

clip_image018

clip_image020

select the server

clip_image022

clip_image024

clip_image026

clip_image028

clip_image030

Give a cluster a name and IP

clip_image032

clip_image034

We make sure that everything is all right

clip_image036

Next step we add the second node

clip_image038

clip_image040

clip_image042

And we run the tests as above

clip_image044

clip_image046

Last step configure quorum

clip_image048

clip_image050

Most of the time based on the number of Hosts you will get different recommendation ( I explained each one in my how to create cluster Post )

http://ahmedhusseinonline.com/2011/02/how-to-make-two-node-failover-clusters-windows-server-2008-r2-file-share-witness-and-disk-majority/

 

clip_image052

clip_image054

clip_image056

Last Step Enable CSV

clip_image058

clip_image060

Now a new storage type appears

clip_image062

. clip_image064

clip_image066

clip_image068

 
Create a virtual machine

In this step, you use the New Virtual Machine Wizard to create a virtual machine.

On a Server Core installation, you have the option to create a virtual machine using the failover clustering PowerShell cmdlet, Add-ClusterVirtualMachineRole. The following is an example of how to use this cmdlet to create a virtual machine:

Add-ClusterVirtualMachineRole -VirtualMachine VM1 -Name "MainServer1"

This command configures VM1 as a clustered virtual machine, and assigns the name MainServer1 to the virtual machine.

Important

You must choose the shared storage as the location to store the virtual machine and the virtual hard disk. Otherwise, you will not be able to make the virtual machine highly available. To make the shared storage available to the virtual machine, you must create the virtual machine on the physical computer that is the node which owns the storage.

To create a virtual machine

1. Open Hyper-V Manager. Click Start, point to Administrative Tools, and then click Hyper-V Manager.

2. If you are not already connected to the server that owns the shared storage, connect to that server.

3. From the Action pane, click New, and then click Virtual Machine.

4. From the New Virtual Machine Wizard, click Next.

5. On the Specify Name and Location page, specify a name for the virtual machine, such as FailoverTest. Click Store the virtual machine in a different location, and then type the full path or click Browse and navigate to the shared storage( OR if you will store it in the CSV store it in C:ClusterStorageVolume* – you will find folder with the same numbers as you added storage )

6. On the Memory page, specify the amount of memory required for the operating system that will run on this virtual machine. For example, specify 1024 MB to run Windows Server 2008 R2.

7. On the Networking page, connect the network adapter to the virtual network that is associated with the physical network adapter.

8. On the Connect Virtual Hard Disk page, click Create a virtual hard disk. If you want to change the name, type new a name for the virtual hard disk. Click Next.

9. On the Installation Options page, click Install an operating system from a boot CD/DVD-ROM. Under Media, specify the location of the media, and then click Finish.

clip_image070

clip_image072

clip_image074

Make sure the Auto Start action is Nothing

clip_image076

Now we go to the cluster Management  select create service

clip_image078

clip_image080

select Vm

clip_image082

clip_image084

clip_image086

Make sure the Auto Start is Yes as you see below

clip_image088

clip_image090

Now for testing time  lets live migrate it

clip_image092

clip_image094

One packed Dropped, well that’s impressive Smile 

clip_image096

Note if you got The Cluster service failed to bring clustered service or application completely online or offline. One or more resources may be in a failed state. This may impact the availability of the clustered service or application.

Make sure that

  • No local resource are in the VM
  • No issues in cluster resources
  • Try to move the VM offline and open it from HyperV ( you will get detailed information then

http://technet.microsoft.com/en-us/library/cc732181(WS.10).aspx

Advertisements

Have you ever lost a laptop ,external hard disk, thump drive (USB/flash stick ) ? this is when you start remembering the critical things on that drive that you did not consider before it might be photos ,critical documents..etc. . think now that was not your  personal laptop its your CEO or your CFO . this could cripple your company if this information got out .

Hacking before was just for fun but now it’s a business .  believe me someone out there cares  about this (your information ) and trying to get it .

this when bitlocker come into play Smile

This learning guide is the steps taken from Microsoft TechNet but with rearranging the topics to seem a bit logical for some one that does not know the technology (there is no point in reinventing the wheel). I also added my personal experience into it and explained any other technology that might be needed in the process.

 

The soul purposes of this guide is to give some idea about the technology .you can use it to deploy your own Solution but I don’t recommended it as every infrastructure is a bit different than the other . Please remember the golden rules “60% planning 30% deployment 10% maintenance “

 
What is BitLocker? How does it work?

BitLocker Drive Encryption is a data protection feature available in Windows 7 Enterprise and Windows 7 Ultimate for client computers and in Windows Server 2008 R2. BitLocker provides enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.

How BitLocker works with operating system drives

Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers by:

  • Encrypting the entire Windows operating system drive on the hard disk. BitLocker encrypts all user files and system files on the operating system drive, including the swap files and hibernation files.
  • Checking the integrity of early boot components and boot configuration data. On computers that have a Trusted Platform Module (TPM) version 1.2, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer’s boot components appear unaltered and the encrypted disk is located in the original computer.

BitLocker is integrated into Windows 7 and provides enterprises with enhanced data protection that is easy to manage and configure. For example, BitLocker can use an existing Active Directory Domain Services (AD DS) infrastructure to remotely store BitLocker recovery keys.

How BitLocker works with fixed and removable data drives

BitLocker can also be used to protect fixed and removable data drives. When used with data drives, BitLocker encrypts the entire contents of the drive and can be configured by using Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with the following unlock methods for data drives:

  • Automatic unlock. Fixed data drives can be set to automatically unlock on a computer where the operating system drive is encrypted. Removable data drives can be set to automatically unlock on a computer running Windows 7 after the password or smart card is initially used to unlock the drive. However, removable data drives must always have either a password or smart card unlock method in addition to the automatic unlock method.
  • Password. When users attempt to open a drive, they are prompted to enter their password before the drive will be unlocked. This method can be used with the BitLocker To Go Reader on computers running Windows Vista or Windows XP, to open BitLocker-protected drives as read-only.
  • Smart card. When users attempt to open a drive, they are prompted to insert their smart card before the drive will be unlocked.

A drive can support multiple unlock methods. For example, a removable data drive can be configured to be automatically unlocked on your primary work computer but query you for a password if used with another computer.

Does BitLocker support multifactor authentication?

Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2, you can use additional forms of authentication with the TPM protection. BitLocker offers the option to lock the normal boot process until the user supplies a personal identification number (PIN) or inserts a USB device (such as a flash drive) that contains a BitLocker startup key, or both the PIN and the USB device can be required. These additional security measures provide multifactor authentication and help ensure that the computer will not start or resume from hibernation until the correct authentication method is presented.

Why are two partitions required? Why does the system drive have to be so large?

Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. In Windows Vista, the system drive must be 1.5 gigabytes (GB), but in Windows 7 this requirement has been reduced to 100 MB for a default installation. The system drive may also be used to store the Windows Recovery Environment (Windows RE) and other files that may be specific to setup or upgrade programs. Computer manufacturers and enterprise customers can also store system tools or other recovery tools on this drive, which will increase the required size of the system drive. For example, using the system drive to store Windows RE along with the BitLocker startup file will increase the size of the system drive to 300 MB. The system drive is hidden by default and is not assigned a drive letter. The system drive is created automatically when Windows 7 is installed.

Can BitLocker deployment be automated in an enterprise environment?

Yes, you can automate the deployment and configuration of BitLocker with scripts that use the Windows Management Instrumentation (WMI) providers for BitLocker and TPM administration. How you choose to implement the scripts depends on your environment. You can also use the BitLocker command-line tool, Manage-bde.exe, to locally or remotely configure BitLocker

What happens if the computer is turned off during encryption or decryption?

If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.

Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?

Yes, if the drive is a data drive, you can unlock it from the BitLocker Drive Encryption Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. If it is an operating system drive mounted on another computer running Windows 7, the encrypted hard disk can be unlocked by a data recovery agent if one was configured or it can be unlocked by using the recovery key.

How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?

It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.

What is BitLocker To Go?

BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems.

How can I authenticate or unlock my removable data drive?

In Windows 7, you can unlock removable data drives by using a password or a smart card. After you’ve started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements.

Can I use BitLocker To Go with computers running Windows XP or Windows Vista?

Yes. By default if the removable data drive is formatted by using the FAT file system and then locked with BitLocker To Go using a computer running Windows 7, it can be unlocked on a computer running Windows XP or Windows Vista. However, the files will available with read-only access on those operating systems and no files will be able to be added to the removable drive from those computers. When you insert the removable drive into a computer running Windows XP or Windows Vista, the only readable file on the drive is the BitLocker To Go Reader application, which is automatically written to the drive when BitLocker protection is turned on for the drive in Windows 7. By running the BitLocker To Go Reader, you will be able to view the files on the BitLocker-protected removable drive.

What happens if I try to open a BitLocker-protected, NTFS-formatted removable drive by using a computer running Windows XP or Windows Vista?

In most cases, Windows XP and Windows Vista will not be able to recognize a BitLocker-protected, NTFS-formatted removable drive. In many situations, the user will be prompted to format the drive. Because of this, it is recommended that removable drives be formatted by using the FAT, FAT32, or exFAT file system when using BitLocker.

If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?

No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.

What is best practice for using BitLocker on an operating system drive?

The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 and a Trusted Computing Group (TCG)-compliant BIOS implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.

What is a Trusted Platform Module?

A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer and communicates with the rest of the system by using a hardware bus.

Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a master "wrapping" key, called the storage root key, which is stored within the TPM itself. The private portion of a key created in a TPM is never exposed to any other component, software, process, or person.

Computers that incorporate a TPM can also create a key that has not only been wrapped but is also tied to certain platform measurements. This type of key can only be unwrapped when those platform measurements have the same values that they had when the key was created. This process is called "sealing" the key to the TPM. Decrypting the key is called "unsealing." The TPM can also seal and unseal data generated outside of the TPM. With this sealed key and software such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.

With a TPM, private portions of key pairs are kept separate from the memory controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system—assurances that define the "trustworthiness" of a system—can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely on the operating system and is not exposed to vulnerabilities that might exist in the operating system or application software.

Are your computers and drives physically secure?

Some computers, such as desktop computers and servers, are not likely to leave a physically secure location. This can mean that BitLocker protection is less important or that a lower level of protection is appropriate. In comparison, removable drives or portable computers that often leave the secure confines of your organization should be treated differently and with a higher level of protection. For more information about determining levels or protection

How Strong Do You Want the BitLocker Protection?

Determining the strength of BitLocker protection means determining the criteria for unlocking the drive after it is protected. When a BitLocker drive is unlocked, BitLocker authenticates the drive based on the valid key protectors being provided and then authorizes the unlocking of the drive. BitLocker offers a variety of key protectors that permit users to authenticate based on user knowledge, hardware component validation, and software keys as well as a combination of these. The information in this section helps you decide what type of protection you want to use with BitLocker.

Term Description
TPM A hardware device used to help establish a secure root-of-trust. BitLocker supports only TPM version 1.2 and above.
PIN A user-entered numeric key protector that can only be used in addition to the TPM.
Startup key An encrypted file that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.

bitlocker1

 

How Do You Want to Recover BitLocker-Protected Drives?

A recovery method is used when a drive cannot be accessed by using the normal BitLocker unlock method. Unlock can fail on an operating system drive when a PIN is forgotten, a startup key is lost, or if the Trusted Platform Module (TPM) registers changes in the system components that it monitors before allowing the computer to start. For fixed and removable data drives, a recovery method is used when a password is forgotten or a smart card is lost. Consider the following situations when choosing which recovery methods your organization will support

Recovery method Description User configuration options Advantages Disadvantages
Recovery password also known as a recovery key in the graphical user interface and numerical password in the Manage-bde command-line tool. The recovery password is a 48-digit numerical password that can be backed up to Active Directory Domain Services (AD DS). It can also be printed or saved to a text file. The password can be printed or saved to a file by the user. This functionality can be disabled by Group Policy. · Can be backed up to AD DS· Does not require IT physical presence· 48-digit password can be read over the phone by a help desk attendant

· Users can print or save recovery passwords to a file, or this functionality can be disabled by Group Policy

· Not FIPS compliant
Recovery key The recovery key is a 256-bit key that can be saved to a USB flash drive. It is not available by default for removable data drives. It is Federal Information Processing Standard (FIPS) compliant. The location in which to save the recovery key must be specified by the user. · FIPS compliant · Cannot be backed up to AD DS· Users may store USB drives with their computer· If the key to unlock the operating system drive is stored with the computer, the protection is rendered useless

· USB drives could be lost

· If users lose the USB drive with their recovery key, they will not have a recovery method

Data recovery agent The data recovery agent is a public key that is distributed to all BitLocker-protected devices as configured by Group Policy. It is FIPS compliant. Data recovery agents cannot be configured by the user. · FIPS compliant· Automatically applied to drives · IT department personnel must be physically present· The private key must be used to recover the drive· The operating system drive must be installed on another computer running Windows 7 as a data drive

bitlocker2_thumb1_thumb[1]

If you choose to support either the recovery password or the recovery key, you can use AD DS to store the recovery information. BitLocker integrates with AD DS to provide centralized key management for recovery information. When the recovery key methods are supported, users can print recovery information, save it to a file, or save it to a USB drive. However, this recovery information is not automatically provided to the system administrators by default, and no recovery information is backed up to AD DS. This means that being able to recover BitLocker-protected drives is solely the responsibility of the user. However, to be able to provide an administrative method to recover BitLocker-protected drives, you can configure Group Policy settings to enable the backup of BitLocker and TPM recovery information. Windows Server 2008 and Windows Server 2008 R2 include support for BitLocker recovery by default. If you are using domain controllers running Windows Server 2003, you must extend the schema first to provide storage locations in AD DS for BitLocker recovery data.

The following recovery data can be saved for each computer object:

  • Recovery password
    A 48-digit recovery password used to recover a BitLocker-protected drive. Users enter this password to unlock a drive when BitLocker enters recovery mode.
  • Key package data
    With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected drive if the drive is severely damaged. Each key package will only work with the drive it was created on, which can be identified by the corresponding BitLocker identifier.
  • TPM owner password hash
    When ownership of the TPM is taken as part of turning on BitLocker, a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM.

Using BitLocker with operating system drives

Using BitLocker on operating system drives works best on computers with a compatible version 1.2 Trusted Platform Module (TPM). When using the TPM with BitLocker, the TPM must be enabled, activated, and owned. These TPM processes are automatically completed if necessary during the BitLocker setup process. For more information about working with the TPM

things you need to know

The system requirements for running BitLocker are slightly different, depending on whether you will be encrypting an operating system drive or a data drive.

To encrypt the drive that Windows is installed on—the operating system drive—BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, so you must have one of the following:

  • A computer with a Trusted Platform Module (TPM). If your computer was manufactured with a TPM version 1.2 or higher, BitLocker protects keys with the TPM.
  • A removable USB device, such as a USB flash drive. If your computer does not have a version 1.2 or higher TPM, BitLocker will store its key on the USB device.

To turn on BitLocker Drive Encryption on the operating system drive, your computer’s hard disk must meet the following requirements:

  • The hard disk must contain at least two partitions: the operating system partition and the active system partition. The operating system partition is where Windows is installed and will be encrypted. The active system partition must remain unencrypted so that the computer can be started, and this partition must be at least 100 MB in size. By default in Windows 7, the system partition will not be given a letter and will be hidden from the user. If your computer does not have a separate, active partition, the required partitions will be created for you during BitLocker setup. By default during Windows setup, a separate, hidden system partition is created. It is a best practice for users to run as a standard user to prevent access to the system partition.
  • The operating system and active system partitions must be formatted with the NTFS file system. Other partitions can be formatted with NTFS, FAT, FAT32, or exFAT.
  • The BIOS must be compatible with the TPM or support USB devices during computer startup. If this is not the case, you will need to update the BIOS before using BitLocker.

You can use BitLocker to encrypt fixed data drives (such as internal hard drives) and removable data drives (such as external hard drives and USB flash drives). To encrypt a data drive, it must be formatted by using the FAT, FAT16, FAT32, or NTFS file system and must be at least 64 MB in size.

Notes

BitLocker protection on FAT-formatted removable drives is known as BitLocker To Go. When a BitLocker-protected removable drive is unlocked on a computer running Windows 7, the drive is automatically recognized and the user is either prompted for credentials to unlock the drive or the drive is unlocked automatically if it is configured to do so. Computers running Windows XP or Windows Vista do not automatically recognize that the removable drive is BitLocker-protected.

To allow users of these operating systems to read content from BitLocker-protected removable drives by default, an additional FAT32 drive is created that is hidden on computers running Windows 7 but is visible on computers running Windows XP or Windows Vista. This hidden drive is called the discovery drive. The discovery drive contains the BitLocker To Go Reader. With BitLocker To Go Reader, users can unlock the BitLocker-protected drives by using a password or a recovery password (also known as recovery key).

  • You should make sure that users unlock BitLocker-protected removable drives only on computers they trust. After the drive is unlocked, the contents of the drive and the unlock mechanism you used are exposed to the host computer and could be captured.
  • The discovery drive is formatted as unencrypted (plaintext) and with no free space. User data should not be stored on this drive.
  • The BitLocker To Go Reader is not compatible with the NTFS file system. By default, many external drives are formatted in NTFS by the operating system. If you are planning to use the BitLocker To Go Reader, format the external drives in your organization by using the exFAT file system.

Backing Up BitLocker and TPM Recovery Information to AD DS

You can configure BitLocker Drive Encryption to back up recovery information for BitLocker-protected drives and the Trusted Platform Module (TPM) to Active Directory Domain Services (AD DS). Recovery information includes the recovery password for each BitLocker-protected drive, the TPM owner password, and the information required to identify which computers and drives the recovery information applies to. Optionally, you can also save a package containing the actual keys used to encrypt the data as well as the recovery password required to access those keys.

Using AD DS to store BitLocker recovery information

Backing up recovery passwords for a BitLocker-protected drive allows administrators to recover the drive if it is locked. This ensures that encrypted data belonging to the enterprise can always be accessed by authorized users.

Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.

In a default BitLocker installation, recovery information is not backed up and local users must be responsible for keeping a copy of the recovery password or recovery key. If the user loses that information or neglects to decrypt the drive before leaving the organization, the administrator cannot easily get access to the drive. To mitigate this situation, administrators can configure Group Policy settings to enable backup of BitLocker and TPM recovery information. Before configuring these settings, as a domain administrator you must ensure that the Active Directory schema has the necessary storage locations and that access permissions have been granted to perform the backup.

You should also configure AD DS before configuring BitLocker on client computers. If BitLocker is enabled first, recovery information for those computers will not be automatically added to AD DS. If necessary, recovery information can be backed up to AD DS after BitLocker has been enabled by using either the Manage-bde command-line tool or the BitLocker Windows Management Instrumentation (WMI) provider. For more information about the WMI provider, see the MSDN topic BackupRecoveryInformationToActiveDirectory Method of the Win32_EncryptableVolume Class (http://go.microsoft.com/fwlink/?LinkId=167132).

note :You can save recovery information in AD DS if your domain controllers are running Windows Server 2003 with Service Pack 1 (SP1) or Service Pack 2 (SP2), Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2. You cannot save recovery information in AD DS if the domain controller is running a version of Windows Server earlier than Windows Server 2003 with SP1.

Backed up BitLocker recovery information is stored in a child object of the computer object. That is, the computer object is the container for a BitLocker recovery object.

Each BitLocker recovery object includes the recovery password and other recovery information. More than one BitLocker recovery object can exist under each computer object because multiple recovery passwords can be associated with a BitLocker-protected drive and multiple BitLocker-protected drives can be associated with a computer.

Before you begin

Download and review the following sample scripts, which are used in the following procedures to configure AD DS for backing up BitLocker recovery information:

First thing we need to do is to add the ACE to the active directory so we have a backup

download the code from (http://go.microsoft.com/fwlink/?LinkId=167133 )

This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows SELF (the computer itself) to write to the ms-TPM-OwnerInformation attribute for computer objects in the domain.

The sample script provided operates under the following assumptions:

  • You have domain administrator privileges to set permissions for the top-level domain object.
  • Your target domain is the same as the domain for the user account running the script.
  • Your domain is configured so that permissions inherit from the top-level domain object to targeted computer objects. since I have one domain (demolab.local windows 2008R2) I will keep the script as its is
  • now open CMD with administrative right and run " cscript <Script Name>.vbs

    image_thumb2111_thumb[1]

    lets make sure that everything ok

    open adsiedit

    image_thumb9_thumb[1]

    you should find the following objects

    • CN=ms-FVE-KeyPackage – attributeSchema object
    • CN=ms-FVE-RecoveryGuid – attributeSchema object
    • CN=ms-FVE-RecoveryInformation – classSchema object
    • CN=ms-FVE-RecoveryPassword – attributeSchema object
    • CN=ms-FVE-VolumeGuid – attributeSchema object
    • CN=ms-TPM-OwnerInformation – attributeSchema object

    image_thumb10_thumb[1]

    image_thumb11_thumb[1]

    now your domain ready to backup the TPM Next we create a GPO for bitlocker and configure the needed option for backup

    1-change Choose how BitLocker-protected XX drives can be recovered (we will be doing this for fixed,OS,removable )

    image_thumb4_thumb[1]

    the same configuration are the same across the three

    image_thumb5_thumb[1]

    image_thumb6_thumb[1]

    image_thumb7_thumb[1]

    next thing is to enable that TPM will back up to AD

    image_thumb1_thumb[1]

 

image_thumb211_thumb[1]

now my windows 7 machines was migrated from windowsXP and have only one partition so we will be needing BitLocker Drive Preparation Tool to create our active boot drive for us

so we need to run (it will take about 5 Minutes )

BdeHdCfg -target default -size 500 –quiet -restart

for list of Parameter please visit http://technet.microsoft.com/en-us/library/ee732026(WS.10).aspx

this is the end results

image_thumb12_thumb[1]

now personally I always like the end user to do it himself in his own time frame this also will make him create a unique recovery key .

so lets force them to enable bitlocker on both external drives and fixed drives as both can be added after we run our script Smile now back to the bitlockerGPO

and enable deny write access to XX not protected by bitlocker (this will be enabled to fixed,OS,Removable )

image_thumb13_thumb[1]

image_thumb14_thumb[1]

image_thumb15_thumb[1]

this is the end results when plugin a USB

image_thumb16_thumb[1]

but for this guide I will be using a WMI script to do it (please not that my test machines don’t have a TPM so I will USB drive -I will deactivate the bitlocker enforcement )

so this is additional step only needed if you don’t have a TPM in your machines

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require Additional Authentication at Startup > Enable

image_thumb19_thumb[1]

image_thumb21_thumb[1]

you can find the needed scripts at

http://archive.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?ReleaseId=3205

so the first thing is to run the command line using SCCM or any other tool (you can use startup script for it but I don’t recommend this )

This sample script is designed to be used for all BitLocker configuration scenarios. It can be run multiple times on a computer. The script automates the following BitLocker configuration settings.
Enable and activate the TPM
Take ownership of the TPM and generate random owner password
Enable BitLocker protection using
TPM only
TPM and PIN
TPM and Startup Key
USB only
Create additional recovery key
Create recovery password
Specify encryption method
Reset TPM owner information

EnableBitLocker.vbs /on:usb promptuser /l:c:BL.Log

the results

image_thumb22_thumb[1]

now lets save the recovery key

image_thumb23_thumb[1]

image_thumb24_thumb[1]

image_thumb25_thumb[1]

image_thumb26_thumb[1]

image_thumb27_thumb[1]

 

now if we unplugged the USB the win7 will not start

image_thumb28_thumb[1]

now lets lunch the recover (winRE ) and give it a look

image_thumb29_thumb[1]

select our USB

image_thumb30_thumb[1]

image_thumb31_thumb[1]

now we can read the HD ok

image_thumb32_thumb[1]

note : if you received

ERROR – the ProtectKeyWithExternalKey Method failed with the exit code make sure you have working TPM

make sure you have the correct boot order sometimes with docking station things can get missed up

BitLocker Recovery Password Viewer for Active Directory

This tool lets you locate and view BitLocker recovery passwords that are stored in AD DS. You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object’s Properties dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest.

Recovery password is a part of Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) you can download it at

http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d

after installation enable it

image_thumb_thumb[1]

now lets register the needed Dll

run

regsvr32.exe BdeAducExt.dll

image_thumb111_thumb[1]

now we have a tab in each computer properties like this

image_thumb2_thumb[1]

see how bitlocker is easy Smile

Microsoft Application Virtualization (App-V) transforms applications into centrally managed services that are never installed and don’t conflict with other applications.

IT professionals and end-users alike face challenges in today’s work environment. End-users speak many languages, are geographically disperse and may not be connected to corporate networks all times. IT must meet the needs if these users, and provide solutions that are fast, flexible and reliable. App-V can help with the challenges you face day to day and enable your business to be more flexible and responsive to changing needs.

 

Improvements

App-V 4.6 SP1 contains the following improvements:
Improved sequencing experience
The App-V 4.6 SP1 Sequencer is updated to help improve the sequencing process and to create a more predictable packaging experience. The following improvements are implemented in this update:

  • App-V Package Accelerators can be used to automatically sequence large and complex applications.
  • Improved support when you use App-V project templates.
  • Step-by-step instructions in sequencing.
  • Improved reporting to identify sequencing issues.

Support for read-only cache on RDS
App-V 4.6 SP1 now supports a shared cache that is read-only in both Virtual Desktop Infrastructure (VDI) and Remote Desktop Services (RDS) environments.
Support for the sequencing of Microsoft .NET Framework 4.0
App-V 4.6 SP1 now supports the sequencing of the Microsoft .NET Framework 4.0.

 

 

installing APPV 4.6 sp1 sequencer

clip_image002

clip_image004

select the installation location

clip_image006

the Vdrive

clip_image008

clip_image010

And doing some of the best practices

Create a dummy printer

clip_image012

clip_image014

clip_image016

clip_image018

clip_image020

clip_image022

Next thing creating a dummy ODBC (this on the sequencer installation took care of it but make sure its there )

clip_image024

clip_image026

Turn off some service (change it to manual )

Superfetch

Security center

Windows defender

Windows search

Windows update

clip_image028

I allows like to allow application to interact with the OS

clip_image030

I always like to remove the following exclusions

clip_image032

Let us start sequencing

clip_image034

create a new package

clip_image036

the wizard gives us a warring because the defender is on

clip_image038

also it gives you some additional information about it

clip_image040

ready to  begin

clip_image042

select standard most of the time

clip_image044

select adobe source

clip_image046

give it a name as you see you don’t have to use 8.3 naming anymore

clip_image048

a nice notification to remind you

clip_image050

clip_image052

clip_image054

clip_image056

This is not the first block it’s the first use  AKA you still capturing the system )

clip_image058

things that APPV did not capture it

clip_image060

I like to customize

clip_image062

I don’t like to have adobe.com shortcut so I remove it from edit shortcuts step

clip_image064

This is the first block Smile

clip_image066

clip_image068

note please that the application is only supported on the platform it sequenced on in other words if you used win7sp1x86 as your sequencer you will need your clients to be the same . but so far I did not find any issue delivering applications to other platforms

clip_image070

clip_image072

clip_image074

don’t forget to give it the server name and the path

clip_image076

And we save the package as normal

 

 

next we sequence adobe flash

clip_image078

clip_image080

this time we will use plugin

clip_image082

select the parent application

clip_image084

now select the plugin

 clip_image086

clip_image088

clip_image090

clip_image092

clip_image094

clip_image096

now the issue that to make this plugin works users must lunch IE from this shortcuts so it can call the APPV application

clip_image098

Next we test it with a flash web site (http://www.gettheglass.com/)

clip_image100

clip_image102

clip_image104

Next step we install the client

clip_image106

clip_image108

clip_image110

clip_image112

clip_image114

clip_image116

clip_image118

I like to create application groups to make my server organized

clip_image120

clip_image122

clip_image124

clip_image126

clip_image128

clip_image130

The App-V Package Accelerator Gallery

APPV Home ( http://technet.microsoft.com/en-us/appvirtualization/bb508934 )

APPV labs ( http://technet.microsoft.com/en-us/virtuallabs/ee862412.aspx )

What If you have several location distributed across huge geographical locations without connection or with poor connection speed ? how would you collect and proactively protect your systems ?

this when SCA comes to the rescue , SCA is cloud based service that monitor and collect the error for your systems . for now its does not cover all systems but it covers the most important systems your AD and the DB .

What is SCA ?

System Center Advisor (http://www.systemcenteradvisor.com) is an online service that analyzes installations of Microsoft SQL Server 2008 (and later versions) and Windows Server 2008 (and later versions). Advisor collects data from your installations, analyzes it, and generates alerts that identify potential issues (such as missing security patches) or deviations from identified best practices with regard to configuration and usage. Advisor also provides both current and historical views of the configuration of servers in your environment.

what is the differences between SCOM and SCA ?

Advisor is developed by the Microsoft System Center Advisor product group in partnership with Microsoft Support engineers to ensure that the issues customers report to Microsoft are detected before they affect your environment. Advisor is regularly updated to reflect the most recent experiences of these engineers, who support customers around the world.

also SCOM is a real time monitoring SCA is not (up to 12hours lag )

 

What does Advisor analyze?

As of the Release Candidate version of Advisor, the following workloads are analyzed:

  • Windows Server 2008 and later:
    • Active Directory
    • Hyper-V Host
    • General operating system
  • SQL Server 2008 and later
    • SQL Engine

The Advisor environment

The Advisor environment is made up of the Advisor web service, hosted in the cloud, and the on-premise software, installed in your local environment. The on-premise software consists of one gateway and at least one agent. The agent collects data from your server and analyzes it using a set of rules (similar to a management pack in System Center Operations Manager) known collectively as Advisor knowledge. The analyzed data is regularly sent from the agent to the gateway for upload to the Advisor web service. If the data indicates an issue or a deviation from best practices, an alert is generated. By connecting a web browser to the Advisor portal, you can view the alerts and the associated remediation guidance.

image

 

What data is collected?

The full list of data points collected by the agent is available for download here, from the Microsoft Download Center, in an Excel spreadsheet.

For example, included in this list are properties about SQL Server like data from SERVERPROPERTY, sys.databases, and sys.configurations.

In addition to this list of data points, we collect some diagnostic data from event logs to help identify any problems with the Advisor on-premise software.

the System Center Advisor agent collects data about your environment from the following locations:

  1. Windows Registry
  2. Windows WMI calls
  3. SQL OleDB queries
  4. Windows event log
  5. SQL error logs
  6. Agent error logs

This data is analyzed for any issues or deviations from defined best practices. If any are identified, alerts are generated to help you resolve the issues. This data is also used to provide configuration information for the computers in your environment. You can view the configuration on either the Configuration: Current Snapshot or Configuration: Change History pages.

The specific data that is collected is determined by configuration information sent to the agent from Advisor. Every 24 hours, the on-premise software queries Advisor for updates to the configuration. The gateway server automatically downloads this content and stores it to be picked up by the agent.

 

How the data is stored and sent to Advisor

The agent stores the collected information in a set of XML files on the local disk. You can open and audit these files. See View the Data that is sent to System Center Advisor for more information.

Every 24 hours, the xml files are packaged into a compressed CAB file and copied to the gateway. The gateway then securely uploads the CAB file to your Advisor account.

On-premise software functions and requirements

Advisor consists of a web service in the cloud and on-premise software that is installed locally in your environment.

Before you begin deploying the on-premise software, ensure that you understand the following:

  • The agent is installed on any server from which you want to collect and analyze data.
  • The gateway transfers data from your agents to the web service. It does not analyze any of the data. If you want to analyze data for the server where the gateway is installed, you must also install an agent on that server.
  • The gateway must have access to the internet in order to upload data to the web service.
  • For the best results, do not install the Advisor gateway on a computer that is also a domain controller.
  • The agent must have network connectivity to the gateway so it can automatically transfer data to and from the gateway.

Co-existence with Operations Manager 2007 R2

Advisor uses the System Center Health Service to collect and analyze data. The version that is used by Advisor is the same as the System Center Operations Manager 2007 R2 agent. Because of this, when you view the programs installed on your server, you will see System Center Operations Manager 2007 R2 agent software, particularly in Add/Remove Programs. Do not remove these as Advisor is dependent on them. If you remove the Operations Manager agent software, Advisor will no longer function.

When you install an Advisor agent on a computer that has a System Center Operations Manager 2007 R2 agent installed, the Health Service will be configured to run in multi-homing mode so that existing Operations Manager management groups are not impacted. For more information on multi-homing configurations, see Configure an Agent to Report to Multiple Management Groups, available in the System Center Operations Manager 2007 R2 library, at http://go.microsoft.com/fwlink/?LinkID=204945.

When you uninstall Advisor, Add/Remove Programs will uninstall Advisor and update the System Center Operations Manager agent to remove Advisor-specific configurations while ensuring that the Operations Manager agent continues to work. On computers with only Advisor installed (and no Operations Manager), the agent is completely uninstalled.

Advisor is only supported with the System Center Operations Manager 2007 R2 agent and not with previous versions of System Center Operations Manager.

 

Clustering support

The Advisor agent is supported on computers running Windows Server 2008 and Windows Server 2008 R2 and configured to be part of a Windows failover cluster. You can view the virtual clusters in the Advisor portal, the same as physical computers. The only difference is seen on the Servers page, where virtual clusters are identified as TYPE=OTHER (as opposed to TYPE=AGENT, the way that physical computers are identified).

The discovery and configuration rules will run on the active and passive nodes of the cluster, but any alerts generated on the passive nodes will be ignored. If a node shifts from passive to active, alerts for that node are displayed automatically, with no intervention required from you.

Some alerts might be generated twice, depending on the rule that generates the alert. For example, a rule that detects a bad driver by examining the operating system entity will generate alerts for both the physical server and the virtual cluster.

Configuration analysis of passive nodes is not supported.

In addition, the Advisor portal does not support grouping or linking of Windows Server computers that are part of the same Windows failover cluster.

Scaling your Advisor environment

When you plan your Advisor deployment, particularly the number of agents you want to transfer data through a single gateway, consider the capacity of that server in terms of file space.

Consider the following variables:

  • Number of agents per gateway
  • The average size of the data transferred from the agent to gateway per day.  By default each agent uploads CAB files to the gateway twice per day. The size of the CAB files depends on the configuration of the machine (such as number of SQL engines and number databases) and the health of the machine (e.g. the number of alerts generated). In most cases, the daily upload size is typically less than 100 KB.
  • Archival period for keeping data on the gateway (default is 5 days)

So, as an example, assuming a daily upload size of 100KB per agent and the default archival period, you would need the following storage on the gateway:

Space required =agents*100K*5days

 

Geographic location

If you want to analyze data from servers in diverse geographic locations, consider having one gateway per location. This can improve the performance of data transfer from the agent to the gateway.

Ports needed

only Http and Https are needed (80 and 433 )

 

Supported operating systems

Agents and gateways are supported on the following 32-bit and 64-bit editions of Windows Server 2008 and 2008 R2 also HyperV server.

Required software

only .net 3.5sp1

Supported browsers

The following browsers are supported:

  • Windows Internet Explorer 7 (or a later version)
  • Mozilla Firefox 3.5 (or a later version)

Regardless of the browser you use, you must also install Microsoft Silverlight 4.

Supported technologies for analysis

Advisor analyzes the following workloads:

  • Windows Server 2008 and later:
    • Active Directory
    • Hyper-V Host
    • General operating system
  • SQL Server 2008 and later (any edition including Express ) 
    • SQL Engine

In addition, the 32-bit edition of SQL Server is supported when running in the WOW64 implementation.

now just after we activate our account you will be prompt with this wizard  download both the certificate and the gateway and agent setup .

so download both

image

next we start installing the gateway and the agent

image

select the installation location

image

normal warning .

 

image

select what you need to install

 

image

give the path to address of the cert you downloaded

image

install SCOM agent (if you installing on a DC you will get failed to start service and that’s normal

image

 

image

installing the SCA agent and gateway

image

and we done

image

 

as you can see its almost real time the installation been detected on the portal

image

 

now lets install the agent only on sql server

on the getaway got to users and groups and add the computer you will install the agent on  (I have my GW on a DC but if its not it will be the local users and groups

image

and add the computer object so it can access the GW

image

select agent

image

select your gateway

image

image

 

 

now the portal we be updated with new information every 12hour (the default value )

now this how its looks like

as you see it give you also how to fix the issue

image

 

image

configuration snapshots

image

configuration :history

image

 

servers

image

image

 

 

Configure the Gateway and Agent

You can use registry keys to control most configuration settings for the gateway and agent. By changing the various registry keys, you can customize the frequency of data uploads (between the agent and the gateway, and between the gateway and the service), the size and location of mailbox shares on both the gateway and agent, and the archival period for content. The following sections describe the configuration settings that you can change for the gateway and agent, including setting the proxy configuration for the gateway through the config.xml file.

Configuring the gateway

The following table lists the registry keys and default values for the gateway’s configuration settings. The registry keys for the gateway are stored in HKEY_LOCAL_MACHINESoftwareMicrosoftSystemCenterAdvisorGateway.

After you change any of the registry keys, you will need to restart the gateway service. To restart the gateway service, in the Services console, right-click System Center Advisor Gateway, and then click Restart.

Setting Name

Type

Description

Default Value

UploadFrequency

REG_DWORD

Defines how frequently the gateway uploads data to the service. Use one of the following values:

  • 1 – Data is uploaded every 12 hours
  • 2 – Data is uploaded every 24 hours
  • 3 – Data is uploaded once per week

clip_image001Note

If you set the value to 3, you must also specify a value in the UploadDay key.

1

UploadDay

REG_DWORD

Defines the day of the week to upload data to the service. The day of the week is represented by a number, where 1 is Monday and 7 is Sunday.

clip_image0011Note

Use this setting only when the UploadFrequency key is set to 3.

1

UploadTimeHour

REG_DWORD

Defines the hour of the day to upload data to the service. Use a number between 0 and 23 to specify the hour.

A random number between 2 and 6

UploadTimeMin

REG_DWORD

With the UploadTimeHour setting, defines the minute to upload data to the service. Use a number between 0 and 59.

A random number between 0 and 59.

PollingFreq

REG_DWORD

Defines the frequency, in minutes, that the gateway uses to check for new agents and for the size of the mailbox.

15 minutes

MaxMailboxSizePerAgent

REG_DWORD

Defines the maximum size, in megabytes (MB), for the mailbox per agent. If this size is exceeded, the oldest content is deleted.

1024 MB

ArchivePeriod

REG_DWORD

Defines the number of days Advisor retains data in the sent items folder after the data is uploaded.

5

MaxLogSize

REG_DWORD

Defines the maximum size, in MB, for the log file. Specify a number greater than 10. (By default, a lower number indicates that logging should not occur, because an individual log file can be 10 MB.)

100

BlockUpload

REG_DWORD

Indicates whether to upload content to the service. If this registry setting is present, content is not uploaded.

Not applicable

LogLevel

REG_DWORD

Defines the level of logging for the gateway.

3

Configuring the agent

The following table lists the registry keys and default values for the agent’s configuration settings. The registry keys for the agent are stored in HKLMSoftwareMicrosoftSystemCenterAdvisorAgent.

After you change any of the registry keys, you will need to restart the agent. To restart the agent, in the Services console, right-click System Center Management, and then click Restart.

Setting Name

Type

Description

Default Value

GatewayServer

REG_SZ

Defines the gateway server for this agent.

Not applicable. This value is supplied during agent installation.

UploadFrequency

REG_DWORD

Defines how frequently the agent uploads data to the gateway. Use one of the following values:

  • 1 – Data is uploaded every 12 hours
  • 2 – Data is uploaded every 24 hours
  • 3 – Data is uploaded once per week

clip_image0012Note

If you set the value to 3, you must also set the UploadDay.

1

UploadDay

REG_DWORD

Defines the day of the week to upload data to the gateway. The day of the week is represented by a number, where 1 is Monday and 7 is Sunday.

clip_image0013Note

Use this setting only when the UploadFrequency key is set to 3.

1

UploadTimeHour

REG_DWORD

Defines the hour of the day to upload data to the service. The Use a number between 0 and 23 to specify the hour.

A random number between 0 and 1.

UploadTimeMin

REG_DWORD

With the UploadTimeHour setting, defines the minute to upload data to the service. Use a number between 0 and 59.

A random number between 0 and 59.

MaxCacheSize

REG_DWORD

Defines the maximum size, in MB, for the cache folder on the agent. This folder contains data collected from the health service that has not yet been packaged and sent to the gateway.

1024 MB

MaxMailboxSize

REG_DWORD

Defines the maximum size, in MB, for the mailbox on the agent. If this size is exceeded, the oldest content is deleted.

1024 MB

ArchivePeriod

REG_DWORD

Defines the number of days Advisor retains data in the sent items folder after the data is uploaded.

0

MaxLogSize

REG_DWORD

Defines the maximum size, in MB, for the log file. Specify a number greater than 10 (By default, a lower number indicates that logging should not occur, because an individual log file can be 10 MB).

100

BlockUpload

REG_DWORD

Indicates whether to upload content to the gateway. If this registry setting is present, content is not uploaded.

Not applicable

LogLevel

REG_DWORD

Defines the level of logging for the agent.

3

 

Advisor Deployment Troubleshooting

http://onlinehelp.microsoft.com/en-us/advisor/gg608178.aspx

 

one of the most common comments I receive in bitlocker deployments is how to enforce it on all systems with zero touch ?

MBAM fix this issue Smile 

Overview

Microsoft BitLocker Administration and Monitoring (MBAM) builds on BitLocker in Windows 7 and offers you an enterprise solution for BitLocker provisioning, monitoring and key recovery. MBAM will help you simplify BitLocker provisioning and deployment independent or as part of your Windows 7 migration, improving compliance and reporting of BitLocker, and reducing support costs. This document assumes that you already understand Bitlocker and group policies in general, and that you want a tool to more easily manage those security features.

Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface to BitLocker drive encryption. MBAM allows you to select BitLocker encryption policy options appropriate to your enterprise, monitor client compliance with those policies, report on the encryption status of the enterprise as well as individual computers, and recover lost encryption keys.

if you feel lost please review my post regarding bitlocker

Architecture Overview

The BitLocker Administration and Monitoring client agent performs the following tasks:

  • Uses Group Policy to enforce the BitLocker encryption of client computers in the enterprise
  • Gathers the recovery key for the three BitLocker data drive types, operating system drives, fixed data drives, and removable data drives (that is, USB drives)
  • Gathers compliance data for computer and passes the data to the reporting system

Administration and Monitoring Server :Hosts the Management Console and monitoring web services. The Management Console is used to determine Enterprise Compliance status and audit activity, manage Hardware Capability, and access recovery data (for example, BitLocker Recovery Keys).

Compliance and Audit Database : Stores compliance data for BitLocker Administration and Monitoring client computers.

Recovery and Hardware Database :Stores recovery data that is collected from BitLocker Administration and Monitoring client computers

Compliance and Audit Reports :Uses SQL Server Reporting Services (SRS) to provide BitLocker Administration and Monitoring reports. These reports can be access from the Management Console or directly from the SRS server.

Policy Template :The Group Policy template that specifies the BitLocker Administration and Monitoring implementation of BitLocker drive encryption.

 

Prerequisites

 

Server Operating System Requirements :2008 sp2 or above

 

Prerequisites for Administration and Monitoring Server

The following is a list of the prerequisites for the BitLocker Administration and Monitoring server:

  • · Windows Server Web Server Role
  • · Web Server Role Services

Common HTTP Features:

  • · Static Content
  • · Default Document

Application Development:

  • · ASP.NET
  • · .NET Extensibility
  • · ISAPI Extensions
  • · ISAPI Filters

Security:

  • · Windows Authentication
  • · Request Filtering
  • · Windows Server Features
  • · .NET Framework 3.5.1 features
  • · .NET Framework 3.5.1
  • · WCF Activation
  • · HTTP Activation
  • · Windows Process Activation Service
  • · Process Model
  • · .NET Environment Configuration APIs

Prerequisites for the Compliance and Audit Reports Server

The Compliance and Audit Reports Prerequisites include the Reporting Services feature from Microsoft SQL Server R2 Standard, Enterprise, Datacenter, Developer edition.

Prerequisites for the Recovery and Hardware Database Server

The Recovery and Hardware Database Prerequisites: includes the following:

· Microsoft SQL Server R2 Standard, Enterprise, Datacenter or Developer edition.

· SQL Server must have Database Engine Services and Full-Text Search features installed.

Prerequisites for the Compliance Status Database Server

The Compliance Status Database Prerequisites include:

· Microsoft SQL Server R2 Standard, Enterprise, Datacenter, Developer edition

· SQL Server must have Database Engine Services and Full-Text Search features installed.

 

MBAM Client Operating System Requirements

Operating System

Edition

Service Pack

System Architecture

Windows 7

Enterprise Edition

None, SP1

x86 or x64

Windows 7

Ultimate Edition

None, SP1

x86 or x64

· Trusted Platform Module (TPM) v1.2 capability

· The TPM chip must be turned on in the BIOS and be resettable from the operating system. Look in the BIOS documentation for more information.

BitLocker Administration and Monitoring server components can be installed in one of three server configurations.

· Single computer configuration
All BitLocker Administration and Monitoring features are installed on a single server. This configuration is supported, but only recommended for testing purposes.

· Three-computer configuration
Server features are installed in the following configuration

  • · Recovery and Hardware Database, Compliance and Audit Reports, and Compliance and Audit Reports features are installed on a server
  • · Administration and Monitoring Server feature is installed on a server
  • · Group Policy template is installed on a server or client computer.

· Five-computer configuration
Each server feature is installed on dedicated computers:

  • · Recovery and Hardware Database
  • · Compliance Status Database
  • · Compliance and Audit Reports
  • · Administration and Monitoring Server
  • · Group Policy Template is installed on a server or client computer

A 3 or 5 computer configuration is recommended for production environments.

 

now lets install

image

accept

image

I will be using one server to hold all roles in it

image

the wizard will make sure that everything its needs are installed

image

ofcource in production you will need to encrypt it

image

select the recovery and hardware  database

image

Compliance audit database

image

 

select your reporting server

image

select the website for MBAM

image

if you having a website using the same port it will not accept

image

select if you want update or not

image

ready

image

you can setup one by one if your setup failed

image

now lets set the needed users roles

  • MBAM System Administrators have access to all BitLocker Administration and Monitoring features. The local group for this role is installed on the Administration and Monitoring Server.
  • · MBAM Hardware Users have access to the Hardware Capability features from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server.
  • · MBAM Helpdesk Users have access to the Helpdesk features from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server.
  • · MBAM Report Users have access to the Compliance and Audit reports from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server, Compliance and Audit Reports Server, and Compliance Status Database Server.
  • · MBAM Advanced Helpdesk Uses have increased access to the Helpdesk features from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server.

 

image

MBAM create all below user groups

image

now for the configuration .

MBAM integrates with the Group policy as you see below

image

now test the following to see if its working or not

http://<machinname&gt;:<port>/default.aspx and confirm each of the links for navigation and reports

· http://<machinname&gt;:<port>/MBAMAdministrationService/AdministrationService.svc

· http://localhost/MBAMComplianceStatusService/StatusReportingService.svc

· :/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">:/MBAMRecoveryAndHardwareService/CoreService.svc">http://<machinename>:<port>/MBAMRecoveryAndHardwareService/CoreService.svc

the expected results should be

image

 

image

 

image

as you can see you

image

 

now to deploy the client we will be deploying it through the GPO  (just like any MSI ) and the configuration will be received through the group policy

so we create a share and place both clients in it

  • MBAMClient-32bit.msi
  • MBAMClient-64bit.msi

 

now under software installation we add both clients

image

now we rename them and remove the ability to install x86 application on x64 bit OS because we have client for x64

image

click advanced

image

remove make this 32bit …etc.

image

 

after agent installation you should find the following service up and running

image

now back to the GPO lets set basic configuration

Under MDOP MBAM under data recovery

enable and configure MBAM backend services

image

the backend URL

http://mbam01:8080/MBAMRecoveryAndHardwareService/CoreService.svc

now under reports

enable the reporting URL

image

 

image

http://mbam01:8080/MBAMComplianceStatusService/StatusReportingService.svc

now lets have an over view about the policy options

image

image

image

image

image

image

image

 

Global Policy Definitions

This section describes Global Policy definitions for BitLocker Administration and Monitoring.

Policy Name

Overview and Suggested Policy Setting

Prevent memory overwrite on restart

This policy setting is the same as the BitLocker policy.

Configure this policy to improve restart performance without overwriting BitLocker secrets in memory on restart.

Suggested Configuration: Not configured

When the policy is not configured, BitLocker secrets are removed from memory when the computer restarts.

Validate smart card certificate usage rule

This policy setting is the same as the BitLocker policy.

Configure this policy to use smartcard certificate-based BitLocker protection.

Suggested Configuration: Not configured When policy is not configured, a default object identifier “1.3.6.1.4.1.311.67.1.1” is used to specify a certificate.

Provide the unique identifier for your organization

This policy setting is the same as the BitLocker policy.

Configure this policy to use a certificate-based data recovery agent or the BitLocker To Go reader.

Suggested Configuration: Not configured

When policy is not configured, the Identification field is not used.

Choose drive encryption method and cipher strength

This policy setting is the same as the BitLocker policy.

Configure this policy to use a specific encryption method and cipher strength.

Suggested Configuration: Not configured

When policy is not configured, BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.

Data Recovery Policy Definitions

This section describes MBAM Data Recovery Policy Definitions

Policy Name

Overview and Suggested Policy Setting

Configure key recovery service

This policy setting lets you manage the key recovery service to back up BitLocker recovery information. The setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss because of the lack of key information.

Suggested Configuration: Enabled when Key recovery information to backup is set to Recovery Password and key package.

When this policy setting is enabled, the recovery password and key package will be automatically and silently backed up to configured key recovery server location.

Operating System Drive Policy Definitions

This section describes MBAM Operating System Drive Policy Definitions.

Policy Name

Overview and Suggested Policy Setting

Operating system drive encryption settings

This policy setting determines whether the operating system drive will be encrypted.

Configure this policy to do the following:

· Enforce BitLocker protection for the operating system drive.

· Configure PIN usage to use a TPM PIN for operating system protection.

· Configure enhanced startup PINs to allow the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces.

If you enable this policy setting, the user will have to secure the operating system drive using BitLocker.

If you do not configure or if you disable the setting, the user will not have to secure the operating system drive with BitLocker.

Suggested configuration: Enabled

When enabled, this policy setting requires that the user secures the operating system by using BitLocker protection and drive is encrypted. Based on your encryption requirements, you may select the method of protection for the operating system drive. For higher security requirements, use “TPM + PIN”, allow enhanced PINs, and set the minimum PIN length to 8.

Choose how BitLocker-protected operating system drives can be recovered

This policy setting is the same as the BitLocker policy.
Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).
Suggested Configuration: Not configured
When this policy is not configured, the data recovery agent is allowed, recovery information is not backed up to AD DS, and the recovery options, including the recovery password and recovery key, can be specified by the user.

Configure TPM platform validation profile

This policy setting is the same as the BitLocker policy.

This policy setting lets you configure how the Trusted Platform Module (TPM) security hardware on a computer secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.

Suggested Configuration: Not configured

When this policy is not configured, the TPM uses the default platform validation profile or the platform validation profile specified by the setup script.

Fixed Data Drive Policy Definitions

This section describes MBAM Fixed Data Drive Policy definitions.

Policy Name

Overview and Suggested Policy Setting

Fixed data drive encryption settings

This policy setting let you manage whether the fixed data drive must be encrypted or not.

When enabling this policy, you must not disable the “Configure use of password for fixed data drives” policy.

If the Enable auto-unlock fixed data drive option is checked, the OS volume must be encrypted

If you enable this policy setting, the user will have to put all fixed data drives under BitLocker protection and the drives will be encrypted.

If you disable this policy setting, then it is not required to put fixed data drive under BitLocker protection.

If you do not configure this policy setting, then it is not required to put fixed data drive under BitLocker protection.

Suggested Configuration: Enabled; and check the Enable auto-unlock fixed data drive option.

Deny write access to fixed drives not protected by BitLocker

This policy setting is the same as the BitLocker policy.

This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker.

Suggested Configuration: Not configured

When the policy is not configured, all fixed data drives on the computer will be mounted with read and write access.

Allow access to BitLocker-protected fixed data drive from earlier versions of Windows

This policy setting is the same as the BitLocker policy.

Enable this policy to allow fixed data drives with the FAT file system to be unlocked and viewed on Windows Server 2008 computers.

Suggested configuration: Not configured

When the policy is not configured, fixed data drives formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

Configure use of password for fixed data drives

This policy setting is the same as the BitLocker policy.

Enable this policy to configure password protection on fixed data drives.

Suggested configuration: Not configured

When the policy is not configured, passwords will be supported with the default settings that do not include password complexity requirements and require only 8 characters.

Choose how BitLocker-protected fixed drives can be recovered

This policy setting is the same as the BitLocker policy.

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

Suggested Configuration: Not configured

When policy is not configured, the BitLocker data recovery agent is allowed, the recovery options, including the recovery password and recovery key, can be specified by the user, and recovery information is not backed up to AD DS

Removable Data Drive Policy Definitions

This section describes MBAM Removable Data Drive Policy definitions.

Policy Name

Overview and Suggested Policy Setting

Control use of BitLocker on removable drives

This policy setting is the same as the BitLocker policy.

This policy controls the use of BitLocker on removable data drives.

Check the Allow users to apply BitLocker protection on removable data drives option to let the user run the BitLocker setup wizard on a removable data drive.

Choose Allow users to suspend and decrypt BitLocker on removable data drives to permit the user to remove BitLocker drive encryption from the drive or suspend the encryption while maintenance is performed.

Suggested configuration: Enabled

Deny write access to removable drives not protected by BitLocker

This policy setting is the same as the BitLocker policy.

Enable this policy to only allow write access to BitLocker protected drives.

Suggested Configuration: Not configured

When this policy is not configured, all removable data drives on the computer will be mounted with read and writes access.

Allow access to BitLocker-protected removable data drive from earlier versions of Windows

This policy setting is the same as the BitLocker policy.

Enable this policy to allow for fixed data drives with the FAT file system to be unlocked and viewed on Windows Server 2008 computers.

Suggested Configuration: Not configured

When this policy is not configured, removable data drives formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

Configure use of password for removable data drives

This policy setting is the same as the BitLocker policy

Enable this policy to configure password protection on removable data drives.

Suggested configuration: Not configured

When this policy is not configured, passwords are supported with the default settings that do not include password complexity requirements and require only 8 characters.

Choose how BitLocker-protected removable drives can be recovered

This policy setting is the same as the BitLocker policy.

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

Suggested Configuration: Not configured

When not configured, the data recovery agent is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

Report Policy Definitions

This section describes the MBAM Report Policy definitions.

Policy Name

Overview and Suggested Policy Setting

Configure status reporting service

This policy setting establishes a location for collecting compliance status reports and sets the time between the generating of reports.

If you enable this policy setting, status report and updated key recovery information will be automatically and silently send to configured report server location.

If you do not configure or disable this policy setting, the status report and updated key recovery information will not be saved.

Suggested Configuration: Enabled

When it is enabled, this policy provides an administrative method of generating a compliance report.

The default is set to every 720 minutes.

Set this frequency based on the requirement set by your company on how frequently to check the compliance status of the computer.

Client Management Policy Definition

This section describes MBAM Client Management Policy definitions.

Policy Name

Overview and Suggested Policy Setting

Configure client checking frequency in minutes

This policy setting manages how frequently the client checks the BitLocker protection policies and status on the client computer.

If you enable this policy setting, the client will check the BitLocker protection policies and status on the client computer at the configured frequency.

If you do not configure or disable this policy setting, the client checks the BitLocker protection policies and status on the client computer every 90 minutes.

Suggested Configuration: Enabled

The default is set to every 90 minutes.

Set this frequency based on the requirement set by your company on how frequently to check the compliance status of the computer.

Allow hardware compatibility checking

This policy setting allows you to manage the checking of hardware compatibility before enabling BitLocker protection on drives of a computer.

When enabling this policy, the administrator has to make sure that Microsoft BitLocker Administering and Monitoring service is installed with the “Hardware Capability” sub-feature.

When enabling this policy you must enable the “Configure Key Recovery service” policy and have it configured.

If you enable this policy setting, the model of the computer will be validated against the hardware compatibility list before it enables BitLocker protection on drives of a computer to ensure the model is BitLocker-capable

If you disable or do not configure this policy setting, the computer model will not be validated against the hardware compatibility list.

Suggested Configuration: Enabled

Enable this if your enterprise has older computer hardware or computers that do not support TPM. If this is the case, enable Hardware Compatibility checking to make sure that MBAM is only applied to computer models that support it. If all computers in your organization support BitLocker, you do not have to deploy the Hardware Compatibility, and you can set this policy to Not Configured.

Configure user exemption policy

This policy allows configuring a URL, email address, or telephone number that will instruct users how to request exemption from BitLocker protection.

If you enable this policy setting and provide a URL, mailing address, or telephone number, the user will able to apply for exemption and see a dialog for instruction on how to apply exemption form the BitLocker protection.

If you disable or do not configure this policy setting, the user will not see a message for instructions on how to apply for an exemption from BitLocker protection. The request exemption form will not be available to the user.

Suggested Configuration: Not Configured

Enable this policy if your organization wants to let a user or computer be exempted from BitLocker protection.

User-Based Group Policy Definitions

This section describes user-based MBAM Group Policy definitions.

Policy Name

Overview and Suggested Policy Settings

Allow the user to be exempted from BitLocker encryption

This policy lets MBAM to be configured to exempt a user from BitLocker encryption.

If you enable this policy setting, the specified user is exempted from BitLocker encryption.

If you disable this policy setting, the specified user is denied exemption from BitLocker encryption. Also, the exemption is not available to the user.

If you do not configure this policy setting, the user is not exempted from BitLocker encryption, and the exemption option is not available to the user.

Suggested Configuration: Not configured

 

How to Grant User Exemptions

Microsoft BitLocker Administration and Monitoring (MBAM) can grant two forms of exemption from BitLocker protection, computer exemption and user exemption. Because BitLocker policy is applied to the computer, we recommend that you control BitLocker protection by exempting computers. Your organization can also manage BitLocker protection by exempting users.

To exempt users from BitLocker protection, an exempt user is added to a security group for Group Policy. When members of this security group sign on to a computer, the user Group Policy shows that the user is exempted from BitLocker protection. The user policy overwrites the computer policy, and the computer will remain exempt from BitLocker protected. However, if the computer is already BitLocker-protected, the user exemption policy has no effect.

The following table shows how BitLocker protection is applied based on how exemptions are set.

User Status

Computer Not Exempt

Computer exempt

User not exempt

BitLocker protection is enforced on computer

BitLocker protection is not enforced on computer

User exempt

BitLocker protection is not enforced on computer

BitLocker protection is not enforced on computer

List of Log Files for MBAM

The following article describes the locations for the log files used by Microsoft BitLocker Administration and Monitoring (MBAM) during setup and operation.

Setup

In order to get setup log files, you must install BitLocker Administration and Monitoring using msiexec package with the /L <location> option. Log files will be created in the location specified.

Application and Monitoring

BitLocker uses the IIS logs by default for its websites and services. These are located under $systemdrive$inetpublogsw3svc

Client

For the BitLocker client, the Admin and Operational log files are located in Event Viewer, under Application and Services Logs / Microsoft / Windows / BitLockerManagement.

this is the final look of the console

if you found something missing make sure you are in the users group

image

image

 

image

image

 

one of the reports

image

Migrations ,what an interesting topic each and every one of us will do it eventually , currently I am working on several projects (secure endpoint) ,a part of this projects is windows7, this post series will help anyone interested in migration to windows 7 , in easy steps .

So the first part of this series is the assessment

This part is one of the important parts because if you don’t know what you have, you will not know how to fix it. We will be using a several tools to do our migrations

we will be using one server 2 GB  Ram and 160GB disk space throughout this series

The Assessment Tools

Microsoft® Application Compatibility Toolkit (ACT)

The Microsoft® Application Compatibility Toolkit (ACT) 5.6 enables software developers, independent software vendors (ISVs), and IT professionals who work in a corporate environment to determine, before deployment within the organization, whether their applications are compatible with a new version of the Windows® operating system. ACT also enables such individuals to determine how an update to the new version will affect their applications.

You can use the ACT features to:

  • Verify your application’s, device’s, and computer’s compatibility with a new version of the Windows operating system, including determining your risk assessment.
  • Verify a Windows update’s compatibility, including determining your risk assessment.
  • Become involved in the ACT Community, including sharing your application assessment with other ACT users.
  • Test your applications for issues related to User Account Control (UAC) by using the Standard User Analyzer (SUA) tool.
  • Test your Web applications and Web sites for compatibility with new releases and security updates to Internet Explorer®, by using the Internet Explorer Compatibility Test Tool.

For better understanding of Application compatibility please visit http://technet.microsoft.com/en-us/library/ee461265(v=WS.10).aspx

You Can download ACT from

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=24da89e9-b581-47b0-b45e-492dd6da2971&displayLang=en

prerequisites

· Dot net 3.5.1

clip_image002

· Install SQL 2008R2 Express

You can download it from

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e08766ce-fc9d-448f-9e98-fe84ad61f135&displaylang=en

clip_image004

clip_image006

clip_image008

clip_image010

clip_image012

Making Basic configuration Enable TCP/IP and Named pipes

clip_image014

1.1.2. Installing ACT 5.6

clip_image016

clip_image018

clip_image020

clip_image022

Type in the server name and the name of the database (the database can be anything)

clip_image024

Set a folder that will receive the logs from the clients

clip_image026

clip_image028

clip_image030

Staring the management console and creating a data collector

clip_image032

The Label will be used if you want to create more than one package for each department and later you need to filter based on that .

clip_image034

Saving the created package

clip_image036

clip_image038

Creating a GPO to auto install that package over our environment

First we place the package inside a share that all clients can access with read only

clip_image040

Create GPO that apply to windows XP only

We create a GPO with WMI filter attached (we don’t need to install the package on windows 2003 or any other version of windows)

Windows versions for you reference

  • · Windows 2000 Server =5.0%
  • · Windows 2000 WS =5.0%
  • · Windows server 2003 =5.2%
  • · Windows XP =5.1%
  • · Windows server 2008=6.0%
  • · Windows Vista = 6.0%
  • · Windows server 2008 R2 =6.1%
  • · Windows 7=6.1%

As you see in the above versions it only different in windows 2003 and xp the rest Is the same

So to hit another OS we will need to add ProductType =/<> "1" in the WMI statement

Examples

  • · OS Windows 2008 server

SELECT * FROM Win32_OperatingSystem WHERE Version = "6.0%" and ProductType <> "1"

  • · OS Windows Vista

SELECT * FROM Win32_OperatingSystem WHERE Version = "6.0%" and ProductType = "1"

To explore the WMI we download a tool called WMI explorer

You can download it from http://www.ks-soft.net/hostmon.eng/wmi/index.htm

clip_image042

We create a WMI filter in the GPO with our select statement

clip_image044

Next step we import the ACT MSI file to the GPO software installation section

clip_image046

We change the WMI filtering to the ACT filter (windows XP )

clip_image048

Now every XP machine that will restart will install our collector package

Note: it might take several restarts for the package to be distributed properly

Note before you start you need only one KMS host in your organization .so don’t start entering KMS keys in all of your servers .I have seen this happen once and caused a lot of issues .having the KMS Host is the same as having windows XP old VLK key .its unlimited .this does not mean you don’t have to buy each and every windows you have . but in a lot of scenarios this will help you .KMS is your friend Smile

 

What is KMS ?

Key Management Service (KMS) uses a KMS key to establish an activation service that is hosted locally in your environment. The KMS key is used only to activate a computer that you designate as the KMS host to enable KMS. After the service is established, your Windows Vista and Windows Server 2008 systems can activate by connecting to the KMS host.

No keys are used to activate the KMS client systems. Systems activated via KMS must reactivate at least once every six months by connecting to the KMS host. A minimum number of physical KMS client machines is required and must be maintained for activation of KMS clients to occur.

A KMS key can activate six KMS hosts(KMS Servers ) with up to 10 activations per host. Each host can activate an unlimited number of computers that are running Windows Server 2008, Windows Vista Business, or Windows Vista Enterprise operating system, so you may need only a single KMS host. If you need more activations for your KMS key, you can call your Microsoft Activation Center to request an increase.

You must establish and maintain a minimum number of KMS client computers for activation to occur. You must have at least five (5) computers to activate Windows Server 2008 and at least twenty-five (25) computers to activate Windows Vista clients. Computers needed to meet the thresholds can be both physical and virtual.

image

What is MAK ?

A MAK is used for one-time activation of a computer with Microsoft’s hosted activation services. There are two ways to activate computers using a MAK.

  • MAK Independent activation requires each computer to independently connect and activate with Microsoft, either over the Internet or by telephone.
  • With MAK Proxy Activation, a computer acting as the MAK proxy gathers activation information from multiple computers on the network and then sends a centralized activation request to Microsoft’s hosted activation services on their behalf. A free application, the Volume Activation Management Tool (VAMT), enables you to do a MAK Proxy Activation.

image

1. What is Volume Activation Management Tool VAMT?

The Volume Activation Management Tool, or VAMT, is a free Microsoft tool to help administrators perform many tasks related to Windows product activation, using a single tool.

VAMT 1.2 released as part of the Windows Automated Installation Kit (AIK), supports Windows Vista and later, and Windows Server 2008 and later. VAMT 1.2 can perform activations with a Multiple Activation Key (MAK), and enables Key Management Service (KMS) client activations.[1]

VAMT 2.0 includes several significant improvements over VAMT 1.2. It supports all of the above Windows operating systems plus Office 2010, Visio 2010 and Project 2010. VAMT 2.0 is a Microsoft Management Console (MMC) snap-in for a consistent administration experience, and is available as a standalone download. This version additionally enables administrators to manage KMS host and retail keys and activations. Admins may optionally use a Command Line Interface to script VAMT tasks vs. using the interactive GUI.

This document explains VAMT 2.0 and its benefits in more detail. We use Windows systems as our focus, but all of the capabilities apply also to Office 2010 products.

Example of a screen shots

clip_image002

Volume Activation Timeline

image

Setting Up VAMT

clip_image007

clip_image009

clip_image011

clip_image013

Note: VAMT use WMI so don’t forget to add exception in the client firewall for that server

For more info please visit

http://technet.microsoft.com/en-us/library/ee939270.aspx

Todd had wrote a great post on how to setup a KMS server I would like to share it with you

thanks Todd for the great post

“”

Setting up a KMS Server

Windows 7 Volume licensing basically has three ways to activate, MAK, MAK proxy and KMS. The first two require a key and the proxy needs to use the Volume Activation Management Tool. I won’t get into MAK today, its is somewhat straight forward. If you need information, check out the information on MAK at TechNet, http://technet.microsoft.com/en-us/library/dd979805.aspx.

What I want to talk about is KMS, Key Management Service. Setting one of these servers up is as easy as making Kraft Dinner. Yes, simple. In reading in the forums I see people having troubles getting one up and going. I’ll walk you through the easiest setup. This walkthrough isn’t meant for someone already using a KMS server for Windows Vista or Windows Server 2008.

If you want to activate Windows 7 clients, the simplest choice is install Windows Server 2008 R2. You can use Windows Server 2003 or Windows Server 2008 but you need to install an update. If you have Server 2008 R2, I recommend using it, its just the easiest thing to do. There is a hierarchy of how the setup works, http://technet.microsoft.com/en-us/library/dd979804.aspx will give you the low down.

For me, Windows Server 2008 R2 based KMS server made the most sense. The next step is to locate your KMS key for your volume activation. The key you are looking for, is the Windows Server 2008 Std/Ent KMS B (note the KMS B). image thumb Setting up a KMS Server

Instead of using the MAK key when you enter the key for activation, you will enter in your KMS.

image thumb1 Setting up a KMS Server

You will get an warning message that you are using a KMS key, like this.

image thumb2 Setting up a KMS Server

Click OK and you will have then made a KMS host machine. That is all there is to it. Some people get worried and think they have to add a Windows 7 key for the KMS host to accept Windows 7 clients. You don’t need to do that, at least I didn’t have to.

The other thing to remember is that in order for your server to activate computers, you must have at least 5 Servers checked in for server activation to occur or 25 Windows 7 or Vista machines checked in for client activation to occur. To check the status of the computers, I find the VAMT tool which comes with the WAIK works well.

 

Setting up an Office 2010 KMS Host Server

This morning was quiet in the office so I decided to tackle adding Office 2010 to my Microsoft Deployment Toolkit installation.

I’ll cover off how you do the add and the options in another post but in order to activate Office 2010, you have two options now; KMS or MAK. Microsoft has moved the licensing of Office to be like that of Windows 7. Makes plenty of sense, but how do you set up your infrastructure so you can activate Office 2010?

I already have a Windows 2008 R2 Server acting as my KMS Host for Windows activations so I used that server. Don’t have a KMS Host for activating Windows 7 or Vista yet, check my post on setting up a KMS Host Server. If you just want to use KMS for Office 2010, then that is fine too. You need to head to Microsoft Download Center and download Microsoft Office 2010 KMS Host software. I chose to run it on my existing KMS Server, but if you don’t yet have a KMS Server, the machine you run this on will become your KMS Host for Office 2010.

image thumb Setting up an Office 2010 KMS Host Server

Accept the EULA and click continue and it will install.

image4 thumb Setting up an Office 2010 KMS Host Server

Once the file runs, it will ask you for you KMS Key for Office 2010.

image14 thumb Setting up an Office 2010 KMS Host Server

Click Yes and enter the key.

image20 thumb Setting up an Office 2010 KMS Host Server

It will then return whether it was successful or not.

image24 thumb Setting up an Office 2010 KMS Host Server

That is all there is to it.

Once you start installing Office 2010, the KMS activation key is already defaulted in the installation. The installation will search out your KMS host server. If everything is working properly on the DNS side, then it should activate and you will be off to the races.

If you get stuck, here are some other resources:

Microsoft Office Blog – Volume Activation Tips and Tricks

Volume Activation for Office 2010

“”

additional information on activation can be found on http://technet.microsoft.com/en-us/library/ee355153.aspx