1 00:00:01,040 --> 00:00:04,120 BitLocker Drive Encryption Yet, again, 2 00:00:04,120 --> 00:00:06,960 this isn't anything new in Windows Server 2022. 3 00:00:06,960 --> 00:00:12,920 It's an at rest volume encryption technology that's been around in 4 00:00:12,920 --> 00:00:16,740 Windows client and Windows Server for many years. 5 00:00:16,740 --> 00:00:22,760 It's offering in Windows Server 2022 128 or 256‑bit 6 00:00:22,760 --> 00:00:24,860 AES encryption of the entire volume. 7 00:00:24,860 --> 00:00:28,790 And the value proposition is if someone were to, 8 00:00:28,790 --> 00:00:29,080 say, 9 00:00:29,080 --> 00:00:33,140 steal a server or just steal the disks out of the server 10 00:00:33,140 --> 00:00:35,980 chassis and attempt to mount them elsewhere, 11 00:00:35,980 --> 00:00:39,040 unless they have the BitLocker key, 12 00:00:39,040 --> 00:00:43,350 they're not going to be able to see any data on the entire volume. 13 00:00:43,350 --> 00:00:46,940 So this gives you fundamental data privacy. 14 00:00:46,940 --> 00:00:47,430 However, 15 00:00:47,430 --> 00:00:50,430 BitLocker also has a number of choices in terms of 16 00:00:50,430 --> 00:00:52,340 how you're doing your protectors. 17 00:00:52,340 --> 00:00:57,270 Startup integrity means that that BitLocker drive is attached 18 00:00:57,270 --> 00:01:00,280 or keyed to the Trusted Platform Module, 19 00:01:00,280 --> 00:01:02,700 or TPM, chip on the server's motherboard. 20 00:01:02,700 --> 00:01:09,340 And this means that the state of that disk during startup is evaluated, 21 00:01:09,340 --> 00:01:13,750 and if too many changes, let's say, were to happen to a motherboard, 22 00:01:13,750 --> 00:01:16,880 where if you did a RAM upgrade and swapped a data 23 00:01:16,880 --> 00:01:19,890 drive out and upgraded a processor, 24 00:01:19,890 --> 00:01:23,240 BitLocker may very well think that the drives are on a 25 00:01:23,240 --> 00:01:25,630 different chassis and would prevent boot. 26 00:01:25,630 --> 00:01:29,690 So it gives you startup integrity in addition to data privacy. 27 00:01:29,690 --> 00:01:34,550 There's a capability of BitLocker called Network Unlock, 28 00:01:34,550 --> 00:01:37,890 and this is useful, for instance, if you, 29 00:01:37,890 --> 00:01:41,710 as an administrator, need to service servers or frankly, 30 00:01:41,710 --> 00:01:46,110 more commonly, client devices that may have the TPM plus PIN, 31 00:01:46,110 --> 00:01:48,370 or personal identification number, 32 00:01:48,370 --> 00:01:52,690 protectors where instead of the machine booting and whereas 33 00:01:52,690 --> 00:01:55,430 if you're just using the TPM protector, 34 00:01:55,430 --> 00:01:59,260 the machine will boot as long as the startup environment is fine, 35 00:01:59,260 --> 00:02:03,110 and as long as the TPM chip is available and everything looks good, 36 00:02:03,110 --> 00:02:06,000 the machine is allowed to boot up to the logon screen. 37 00:02:06,000 --> 00:02:11,640 But if you've got the PIN protector, that would require an administrator, 38 00:02:11,640 --> 00:02:17,370 or if this were a client device, the user to enter that PIN every startup, 39 00:02:17,370 --> 00:02:20,440 and that's not going to work if you're doing remote servicing. 40 00:02:20,440 --> 00:02:24,260 So in an Active Directory domain environment, 41 00:02:24,260 --> 00:02:28,230 Network Unlock allows you to store that PIN in AD and 42 00:02:28,230 --> 00:02:30,260 be able to do remote administration, 43 00:02:30,260 --> 00:02:33,450 including remote boot and reboot without having to worry about 44 00:02:33,450 --> 00:02:36,940 getting hung up at a BitLocker PIN prompt. 45 00:02:36,940 --> 00:02:39,300 BitLocker is available for Windows Server, 46 00:02:39,300 --> 00:02:44,340 Windows client, as well as Azure Windows Server virtual machines. 47 00:02:44,340 --> 00:02:47,230 Now I tentatively mentioned MBAM to you. 48 00:02:47,230 --> 00:02:50,470 I doubt seriously you'll see a reference to it on the exam, 49 00:02:50,470 --> 00:02:54,660 but I also want to deliver as much real‑world value to you as I can. 50 00:02:54,660 --> 00:02:59,040 MBAM stands for Microsoft BitLocker Administration and Monitoring. 51 00:02:59,040 --> 00:03:04,140 It's part of the MDOP toolkit, the Microsoft Desktop Optimization Pack, 52 00:03:04,140 --> 00:03:09,000 and the main value prop that MBAM gives you is what you see on the screenshot. 53 00:03:09,000 --> 00:03:14,620 You basically are able to give your users a self‑service web portal 54 00:03:14,620 --> 00:03:18,440 where they can retrieve the recovery key if it's lost, 55 00:03:18,440 --> 00:03:24,640 if their machine is locked and they have to go into BitLocker drive recovery. 56 00:03:24,640 --> 00:03:29,040 You know, there's a number of reasons that might trigger BitLocker recovery, 57 00:03:29,040 --> 00:03:31,840 and if they don't have the key accessible, 58 00:03:31,840 --> 00:03:34,650 this provides them an alternate way to get the key. 59 00:03:34,650 --> 00:03:35,140 Of course, 60 00:03:35,140 --> 00:03:38,440 they'd have to be on another machine and be able to sign 61 00:03:38,440 --> 00:03:42,140 into your corporate MBAM web instance here. 62 00:03:42,140 --> 00:03:46,770 Now this product, the MDOP and MBAM specifically, 63 00:03:46,770 --> 00:03:52,150 are out of mainstream support already as of this recording in Spring 2022, 64 00:03:52,150 --> 00:03:56,780 and they'll be out of extended support on July 9th of 2024. 65 00:03:56,780 --> 00:04:01,760 So I mention this just because it's relevant to a discussion of BitLocker. 66 00:04:01,760 --> 00:04:06,280 I would not recommend you install MBAM in a production environment, 67 00:04:06,280 --> 00:04:09,610 or if you do, just understand you're basically on your own with it. 68 00:04:09,610 --> 00:04:13,790 I think you're going to find that the native Active Directory 69 00:04:13,790 --> 00:04:16,360 BitLocker key recovery that we'll look at next, 70 00:04:16,360 --> 00:04:26,000 generally speaking, is a better solution, if for no other reason AD BitLocker key recovery is in mainstream support.