MBAM Deployment Guide

Microsoft BitLocker

Administration and

Monitoring

Deployment Guide

Microsoft BitLocker Administration and Monitoring (MBAM) is an enterprise-

scalable solution for managing BitLocker technologies, such as BitLocker Drive

Encryption and BitLocker To Go. MBAM, which is part of the Microsoft Desktop

Optimization Pack, helps you improve security compliance on devices by

simplifying the process of provisioning, managing, and supporting BitLocker-

protected devices. This guide helps you choose a deployment method for

MBAM and provides step-by-step instructions for each method.

MBAM DEPLOYMENT GUIDE | INTRODUCTION 1

Introduction

Organizations rely on BitLocker Drive Encryption and BitLocker To Go to protect data on

computers and removable drives running the Windows 8 or Windows 7 operating systems and

Windows to Go. Microsoft BitLocker Administration and Monitoring (MBAM) version 2.0, which

is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software

Assurance, makes BitLocker implementations easier to deploy and manage and allows

administrators to provision and monitor encryption for operating system and fixed drives.

MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for

fixed and removable drives.

For BitLocker To Go–protected drives, BitLocker stores the recovery keys

but does not monitor encryption.

The key benefits of using MBAM to manage BitLocker technologies include:

Simplified provisioning and management. BitLocker deployment is easier with MBAM,

because MBAM can be integrated with existing automated provisioning and deployment

processes to ensure that existing and new devices are protected. You can provision

BitLocker as a part of or after operating system deployment, then use Group Policy

settings for ongoing BitLocker management and compliance enforcement.

Improved compliance and reporting. Encryption and protection of sensitive

information are essential to organizational compliance programs. MBAM includes built-

in reports that provide the current BitLocker encryption status of devices. MBAM also

audits access to BitLocker recovery keys and can provide reports on who accessed

specific recovery key information.

Reduced support effort. A customized MBAM Control Panel app replaces the default

BitLocker Control Panel item and allows users to manage local MBAM and BitLocker

configuration. Secure, web-based recovery key management portals allow help desk staff

MBAM DEPLOYMENT GUIDE | INTRODUCTION 2

and users recover BitLocker-enabled devices. Together, the customized Control Panel

app and these portals allow users and IT staff to perform common tasks, such starting

the encryption process or managing the BitLocker PIN, without you having to grant

administrative rights to the managed devices. Enabling self-service support helps reduce

BitLocker-related help desk tickets by empowering users and making IT staff more

efficient and effective.

To learn more about taking advantage of MBAM in your business, see the Microsoft BitLocker

Administration and Monitoring content on the Microsoft Desktop Optimization Pack website.

This guide describes how to deploy MBAM, with a focus on automating the deployment and

configuration of the MBAM client to managed devices. It first describes the MBAM components.

Then, it shows you how to prepare for deployment and provides step-by-step instructions for

deploying the MBAM client by using the following tools and technologies:

Group Policy software installation

Microsoft Deployment Toolkit (MDT) 2012

Microsoft System Center 2012 Configuration Manager

Scripted installation (e.g., command prompt)

http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/mbam.aspx


http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/default.aspx

MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 3

MBAM components

MBAM uses a client–server model to manage BitLocker. You can deploy MBAM in either a

stand-alone or MBAM Configuration Manager topology. Each topology is discussed in

subsequent sections.

MBAM stand-alone topology

You use the MBAM stand-alone topology (illustrated in Figure 1) when your organization does

not have an existing System Center Configuration Manager infrastructure. In this topology,

MBAM and Microsoft SQL Server provide all the necessary components. If your organization has

a System Center Configuration Manager infrastructure, see MBAM Configuration Manager

topology.


Figure 1. MBAM stand-alone topology

Table 1 describes the computers and devices in this topology and provides a brief description of

MBAM components and the role of each computer and device.

Table 1. Computers and devices in the MBAM stand-alone topology

Computer or device Description

Administration and

Monitoring Server

The following features are installed on this server:

Administration and Monitoring Server. The

Administration and Monitoring Server feature is

installed on a machine running the Windows Server

operating system and consists of the Administration

and Monitoring website, which includes the reports

and the Help Desk Portal, and the monitoring web

services.

Self-Service Portal. The Self-Service Portal is

installed on a machine running Windows Server. The

portal enables users on client computers to

independently log on to a website, where they can

obtain a key to recover a locked BitLocker volume.



Database Server The following features are installed on this server:

Recovery Database. The Recovery Database is

installed on a machine running Windows Server and a

supported instance of SQL Server. This database

stores recovery data collected from MBAM client

computers.

Compliance and Audit Database. The Compliance

and Audit Database is installed on a machine running

Windows Server and a supported instance of

SQL Server. This database stores compliance data for

MBAM client computers, which is used primarily for

reports that Microsoft SQL Server Reporting Services

hosts.

Compliance and Audit Reports. The Compliance

and Audit Reports are installed on a machine running

Windows Server and a supported instance of

SQL Server that has the SQL Server Reporting Services

feature installed. They provide MBAM reports that

you can access from the Administration and

Monitoring website or directly from the SQL Server

Reporting Services server.

Management workstation The following feature is installed on the Management

workstation, which can be a computer running Windows

Server or a client operating system:

Policy Template. The Policy Template consists of

Group Policy settings that define MBAM

implementation settings for BitLocker. You can install

the Policy Template on any server or workstation, but

it is commonly installed on a management

workstation, which is a supported Windows Server

machine or client computer. The workstation does not

have to be a dedicated computer.



Managed device The MBAM client is installed on the managed Windows

device and has the following characteristics:

Uses Group Policy to enforce the BitLocker encryption

of client computers in the enterprise

Collects the recovery key for the three BitLocker data

drive types: operating system drives, fixed data drives,

and removable data (USB) drives

Collects compliance data for the computer and

passes the data to the reporting system

Active Directory Domain

Services (AD DS) domain

controller

The following feature is installed on the domain

controller:









MBAM Configuration Manager topology

Use the MBAM Configuration Manager topology (illustrated in Figure 2) when your organization

has an existing System Center Configuration Manager infrastructure. In this topology, the MBAM

components are distributed across the MBAM Administration and Monitoring Server,

SQL Server, and System Center Configuration Manager. In this topology, System Center

Configuration Manger runs some of the MBAM components. MBAM supports System

Center 2012 Configuration Manager with Service Pack 1 (SP1), System Center 2012


Configuration Manager, and Microsoft System Center Configuration Manager 2007

infrastructures.

Windows to Go is not supported when you install the System Center

Configuration Manager topology with System Center Configuration

Manager 2007.

If your organization does not have a System Center Configuration Manager infrastructure, see

MBAM stand-alone topology.


Figure 2. MBAM Configuration Manager topology

The placement of the MBAM components in the MBAM Configuration Manager topology is

similar to the MBAM stand-alone topology. Table 2 describes the computers and devices in the

MBAM Configuration Manager topology (illustrated in Figure 2) and provides a brief description

of the MBAM components and role of each computer and device.

Table 2. Computers and devices in the MBAM Configuration Manager

topology


Administration and

Monitoring Server

The following features are installed on this server:

Administration and Monitoring Server. The

Administration and Monitoring Server feature is

installed on a machine running Windows Server and

consists of the Administration and Monitoring

website, which includes the reports, the Help Desk

Portal, and the monitoring web services.

Self-Service Portal. The Self-Service Portal is

installed on a machine running Windows Server. It

enables users on client computers to independently

log on to a website, where they can obtain a key to

recover a locked BitLocker volume.



Database Server The following features are installed on this server:

Recovery Database. The Recovery Database is

installed on a machine running Windows Server and a

supported instance of SQL Server. This database

stores recovery data collected from MBAM client

computers.

Audit Database. The Audit Database is installed on a

machine running Windows Server and a supported

instance of SQL Server. This database stores audit

activity data for MBAM client computers that have

accessed recovery data.

Configuration Manager

Primary Site Server

The Configuration Manager Site Server collects the

hardware inventory information from client computers

and is used to report the BitLocker compliance of client

computers. The following features are installed on this

server:

Compliance Reports. The Compliance Reports are

installed on the machine running the Reporting

Services point site system role. They provide MBAM

reports that you can access from the Configuration

Manager console or directly from the SQL Server

Reporting Services server on the Reporting Services

point.

Audit Reports. The Compliance and Audit Reports

are installed on a machine running Windows Server

and a supported instance of SQL Server that has the

SQL Server Reporting Services feature installed. They

provide MBAM reports that you can access from the

Administration and Monitoring website or directly

from the SQL Server Reporting Services server.



Management workstation The following feature is installed on the Management

workstation, which can be run Windows Server or a

client operating system:









Configuration Manager console. The Configuration

Manager console is used to view MBAM reports.

Managed device The MBAM client and Configuration Manager client are

installed on the managed Windows device and have the

following characteristics:

Use Group Policy to enforce the BitLocker encryption

of client computers in the enterprise

Collect the recovery key for the three BitLocker data

drive types: operating system drives, fixed data drives,

and removable data (USB) drives

Enable System Center Configuration Manager to

collect hardware compatibility data about client

computers

Enable System Center Configuration Manager to

report compliance information



AD DS domain controller The following feature is installed on the domain

controller:









MBAM DEPLOYMENT GUIDE | PREPARING FOR DEPLOYMENT 12

Preparing for deployment

MBAM requires the following services and features for both the stand-alone and Configuration

Manager topologies:

AD DS. MBAM requires an AD DS infrastructure and that the MBAM clients be domain

members. MBAM supports the Windows Server 2008 domain functional level or later.

SQL Server. MBAM requires SQL Server for storing MBAM compliance, audit, and recovery

information. MBAM also requires SQL Server Reporting Services for MBAM reports. For more

information on SQL Server requirements, see the section, “SQL Server Database

Requirements,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s

Guide, which is available on Microsoft TechNet. For more information about deploying

SQL Server in the:

Stand-alone topology, see Deploying MBAM in the stand-alone topology

Configuration Manager topology, see Deploying MBAM in the Configuration Manager

topology

Group Policy. You manage MBAM client configuration by using Group Policy settings.

MBAM allows you to manage BitLocker and MBAM settings from a single template. For

more information, see Deploying the MBAM Group Policy settings.

Web server (Microsoft Internet Information Services [IIS]). The Administration and

Monitoring website and the Self-Service Portal run on IIS, which is installed as part of the

Web Server (IIS) server role.

http://go.microsoft.com/fwlink/p/?LinkId=286593


MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM SERVER 13

Deploying the MBAM server

You can deploy the MBAM server in either the MBAM stand-alone or MBAM Configuration

Manager topology. You will deploy the MBAM server components on different computers

(virtual or physical) depending on your scale requirements and the MBAM deployment topology

you choose.

Regardless of the MBAM deployment topology selected, Microsoft recommends dedicating two

computers to MBAM—one for running MBAM web server components and one for running

SQL Server.

You can deploy MBAM in a single-server configuration. However, this

configuration is recommended for use only in test environments. For

production environments, Microsoft recommends that you use the two-

server deployment configuration.

Select the MBAM deployment topology

Which MBAM deployment topology you choose is based on whether you have System Center

Configuration Manager. Use the information in Table 3 to determine which MBAM deployment

topology is right for you.

Table 3. MBAM deployment topologies and when to select them

Topology Description

Stand-alone topology Select this topology when your organization does not have an

existing System Center Configuration Manager infrastructure

or is not planning to deploy a System Center Configuration

Manager infrastructure prior to deploying MBAM.


Topology Description

Configuration Manager

topology

Select this topology when your organization has an existing

System Center Configuration Manager infrastructure or is

planning to deploy a System Center Configuration Manager

infrastructure prior to deploying MBAM. MBAM supports

System Center 2012 Configuration Manager with SP1, System

Center 2012 Configuration Manager, and System Center

Configuration Manager 2007.

Deploy MBAM in the stand-alone topology

Deploying MBAM in the stand-alone topology typically uses two computers (physical or virtual)

for the MBAM components. The two-computer configuration is recommended for production

environments. Installation of all MBAM components on one computer is possible but

recommended only for lab or evaluation environments or small production environments. The

MBAM stand-alone topology is illustrated in Figure 1 in the section, “MBAM stand-alone

topology,“ earlier in this guide.

To deploy MBAM in the stand-alone topology, perform the following steps:

1. Deploy a supported version of SQL Server on the designated computer.

For more information about the versions of SQL Server that MBAM supports, see the

section, “SQL Server Database Requirements,” in the Microsoft BitLocker Administration

and Monitoring 2 Administrator’s Guide, which is available on TechNet.

2. Configure SQL Server to support encrypted connections to the SQL Server Database

Engine (optional).

If you plan to secure communication between the MBAM client and the web services,

you should also secure communication to the SQL Server Database Engine by enabling

encrypted connections to it. For more information about how to do so, see Enable

Encrypted Connections to the Database Engine (SQL Server Configuration Manager).

3. Ensure that the computer that will run the MBAM web server components has the

necessary prerequisites.



http://technet.microsoft.com/en-us/library/ms191192.aspx

http://technet.microsoft.com/en-us/library/ms191192.aspx


The MBAM Web Server Installation Wizard automatically checks

prerequisites before installing the MBAM web server components.

For more information about MBAM server prerequisites, see the section, “Installation

Prerequisites for MBAM Server Features,” in the Microsoft BitLocker Administration and

Monitoring 2 Administrator’s Guide, which is included with MBAM.

4. Install the MBAM server components.

For more information about how to install the MBM server components in the MBAM

stand-alone topology, see the section, “How to Install and Configure MBAM on

Distributed Servers,” in the Microsoft BitLocker Administration and Monitoring 2

Administrator’s Guide, which is included with MBAM.

Deploy MBAM in the Configuration Manager topology

Deploying MBAM in the Configuration Manager topology typically uses two computers (physical

or virtual) for the MBAM components. The two-computer configuration is recommended for

production environments. Installation of all MBAM components on one computer is possible but

recommended only for lab or evaluation environments or small production environments. In

addition, this topology requires a System Center Configuration Manager infrastructure. MBAM

has no additional system requirements for System Center Configuration Manager beyond the

standard system requirements. For more information about the system requirements for:

System Center 2012 Configuration Manager, see Supported Configurations for Configuration

Manager

System Center Configuration Manager 2007, see Configuration Manager Supported

Configurations

To deploy MBAM in the Configuration Manager topology, perform the following steps:

1. Deploy a supported version of SQL Server.





http://technet.microsoft.com/en-us/library/gg682077.aspx


http://technet.microsoft.com/en-us/library/bb680717.aspx



For more information about the versions of SQL Server that MBAM supports, see the

sections, “SQL Server Database Requirements” and “SQL Server Processor, RAM, and Disk

Space Requirements,” in the Microsoft BitLocker Administration and Monitoring 2

Administrator’s Guide, which is available on TechNet.

2. Configure the System Center Configuration Manager permissions required to install

MBAM.

For more information about how to do so, see the section, “Required Permissions to

Install the MBAM Server,” in the Microsoft BitLocker Administration and Monitoring 2


3. Edit and import the configuration.mof file.

For more information about how to do so, see the section, “Edit the Configuration.mof

File,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide,

which is available on TechNet.

4. Edit and import the sm_def.mof file.

For more information about how to do so, see the section, “Create or Edit the

Sms_def.mof File,” in the Microsoft BitLocker Administration and Monitoring 2


5. Install the MBAM web server components.

For more information about how to install the MBM web server components in the

MBAM Configuration Manager topology, see the section, “How to Install MBAM with the

Configuration Manager Topology,” in the Microsoft BitLocker Administration and

Monitoring 2 Administrator’s Guide, which is available on TechNet.










MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 17

Deploying the MBAM Group Policy settings

You use Group Policy settings to manage the MBAM client, and MBAM includes an

administrative template that you use to configure these settings. When you use the template, a

Group Policy object (GPO) containing the MBAM client Group Policy settings will be created; you

then link this GPO to the appropriate organizational units (OUs) in your AD DS hierarchy at

which point the policies will be deployed to the applicable members of the OU.

Install the MBAM Group Policy administrative template

MBAM includes a Group Policy administrative template that exposes all of the BitLocker and

MBAM client configuration settings in the Group Policy Editor. Install the MBAM Group Policy

administrative template on every computer from which you manage MBAM Group Policy, such

as domain controllers or administrative workstations. You can also install the Group Policy

administrative template in the Active Directory central store.

You install the MBAM Group Policy Template by running the MBAM Server Setup Wizard

(MbamSetup.exe), which is in the \MBAM\Installers\x64 folder on the MBAM source media. To

install the MBAM Group Policy templates, select only the Policy Template feature on the Select

features to install page in the MBAM Server Setup Wizard (as shown in Figure 3).


Figure 3. The Select features to install wizard page

For more information on how to install the MBAM Group Policy template, see the section, “How

to Install the MBAM 2.0 Group Policy Template,” in the Microsoft BitLocker Administration and


Create the MBAM Group Policy settings

The MBAM Group Policy administrative template defines policy settings for the MBAM client.

Microsoft recommends that you create a new GPO for each set of unique MBAM Group Policy

settings you need. For example, if you have two groups within your organization that will have

different configurations for BitLocker, create two GPOs—one for each group of settings. You can




also create a GPO for using Trusted Platform Module (TPM) only and another for using TPM and

a PIN.

MBAM Group Policy settings are in the Group Policy Management Editor under Computer

Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker

Management). Table 4 lists the categories of MBAM Group Policy settings and provides a brief

description of each. For more information on the MBAM Group Policy settings, see the section,

“Planning for MBAM 2.0 Group Policy Requirements,” in the Microsoft BitLocker Administration

and Monitoring 2 Administrator’s Guide, which is available on TechNet.

Table 4. MBAM Group Policy setting categories

Category Description

Global Used to configure global BitLocker settings, such as the drive

encryption method and cypher strength and whether a unique

organizational identifier will be used. These settings are located in the

root of the MBAM Group Policy settings hierarchy.

Client

Management

Used to configure the client management aspects of the MBAM

client, such as the configuration of the MBAM services that the client

uses. These settings are located in the Client Management node.

Fixed Drive Used to configure the settings that affect encryption of fixed drives,

such as denying Write access to fixed drives not protected by

BitLocker or choosing how BitLocker-protected fixed drives can be

recovered. These settings are located in the Fixed Drive node.

Operating

System Drive

Used to configure the settings that affect the operating system drive,

such as requiring users to encrypt the operating system drive and the

methods for recovering BitLocker-protected operating system drives.

These settings are located in the Client Management node.




Category Description

Removable

Drive

Used to configure the settings that affect encryption of fixed drives,

such as controlling the use of BitLocker on removable drives or

choosing how BitLocker-protected removable drives can be

recovered. These settings are located in the Removable Drive node.

Configure the MBAM Group Policy settings in the GPOs that you have created (based on the

information in Table 4), and then link those GPOs to the OUs that contain the devices you will

use MBAM to manage. For more information on the MBAM Group Policy settings and the

suggested configuration, see the section, “Planning for MBAM 2.0 Group Policy Requirements,”

in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is

available on TechNet.

Manage MBAM user exemptions

In some instances, users may need to be exempt from protecting their drives protected by

BitLocker. For example, users may bring their own devices as a part of a bring-your-own-device

initiative and do not want their devices to be BitLocker protected. You can exempt users from

MBAM enforcement of automatic BitLocker protection by using the Allow the user to be

exempted from BitLocker encryption Group Policy setting, which is under User

Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker

Management).

To exempt users from MBAM enforcement of automatic BitLocker protection, perform the

following steps:

1. Create a GPO, such as MBAM User Exemption Policy, that enables the Allow the user to

be exempted from BitLocker encryption Group Policy setting.

2. Create a domain security group, such as MBAM Exempt Users, that contains the user

accounts of the users to be exempted.

3. Configure the MBAM User Exemption Policy GPO (created in step 1) to apply only to the

MBAM Exempt Users domain security group (created in step 2) by using GPO security

filtering, as shown in Figure 4.



Figure 4. Configuring GPO security filtering

For more information on how to perform GPO security filtering for a specific group, see

Using Security Filtering to Apply GPOs to Selected Groups.

4. Link the MBAM User Exemption Policy GPO (created in step 1) to the OUs in which the

devices to be managed reside.

For more information on how to manage MBAM user exemptions, see the section, “How to

Manage User BitLocker Encryption Exemptions,” in the Microsoft BitLocker Administration and


http://technet.microsoft.com/en-us/library/cc728301(v=WS.10).aspx



MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 22

Deploying the MBAM client

You must install the MBAM client on each BitLocker-enabled device you will use MBAM to

manage. The client is available in 64-bit and 32-bit versions that are stored in the

\MBAM\Installers\2.0\x64 and \MBAM\Installers\2.0\x86 folders, respectively, on the MBAM

source media. Select the appropriate version based on the target operating system.

The MBAM client installation files include:

MbamClientSetup.exe. This Setup program contains the MBAM client and is

appropriate for methods that require an .exe file, such as scripted installation. This

program passes any installer properties you use on its command line to the Windows

Installer package file.

MBAMClient.msi. This Windows Installer package contains the MBAM client and is

appropriate for deployment methods that require an .msi file, such as Group Policy

software deployment.

You can easily deploy the MBAM client by using almost any software or operating system

deployment tool. Table 5 lists the deployment methods that this guide describes and offers

suggestions for when to use each. You can also use a combination of these methods. For

example, you could use MDT to deploy the MBAM client during operating system deployment

and use Group Policy to deploy the MBAM client to existing computers.

To drive consistency across MBAM client installations, use highly

automated techniques to perform MBAM client deployments. For

example, if you choose command-line deployment, ensure that you

automate installation by using scripts (e.g., Windows PowerShell or batch

scripts).


Table 5. Choosing a deployment method

Method Use this method when

Group Policy You do not use an electronic software deployment (ESD)

solution, such as System Center Configuration Manager or

MDT

You already deploy software by using Group Policy

You want to deploy the MBAM client to existing computers

You want to deploy the MBAM client after operating

system images are deployed

Computers have high-speed, persistent connections to the

network share containing the installation files

MDT 2012 You use MDT for operating system deployment

You want to deploy the MBAM client during operating

system deployment

System Center

Configuration

Manager

You already use System Center Configuration Manager for

application and operating system deployment

You want to use one tool to deploy the MBAM client to

existing computers or during operating system

deployment

Computers have high-speed, persistent connections to the

distribution points in which the MBAM client installation

files reside


Method Use this method when

Scripted Installation You want to script installation as part of operating system

installation, and you are not using MDT or System

Center Configuration Manager

You want to deploy the MBAM client by using a non-

Microsoft ESD system

Computers might not have high-speed, persistent

connections to the enterprise network, and installation

from local media might be required

BitLocker partition configuration requirements

BitLocker requires that the partitions on the targeted devices be configured properly to support

BitLocker. Ensure that the targeted devices have the correct partition configuration to support

BitLocker prior to deploying the MBAM client.

BitLocker requires the following partitions:

System partition. This unencrypted partition is used to start the target device. The system

partition must have a minimum of 100 MB of space, but larger partitions are recommended.

If the system partition is 300 MB or larger, the Windows Recovery Environment is

automatically copied to the partition when BitLocker is enabled. By default, MDT

automatically creates a 512-MB system partition.

Windows partition. This encrypted partition contains the Windows operating system,

applications, and user data. It must meet the minimum required available disk space for the

desired operating system.


In addition to the BitLocker partition requirements, the device may have

requirements such as those for Unified Extensible Firmware Interface

(UEFI). For more information on the recommended partition configuration

for BIOS and UEFI devices, see “5.1 Create a DiskPart script” in Basic

Windows Deployment Step-by-Step Guide.

For new device deployments or when you are replacing an existing device with a new device, the

operating system deployment process automatically creates the appropriate partitions. This is

true if you are performing the deployment by using the operating system deployment media or

by using automated processes such as MDT or System Center 2012 Configuration Manager.

However, in refresh device deployment scenarios, the existing device may have a partition

configuration that is inappropriate for BitLocker—for example, refreshing the Windows XP

operating system on an existing device with Windows 8. In these scenarios, you may need to

repartition the drive to support BitLocker before performing operating system deployment and

deploying the MBAM client. Ensure that you create the partitions based on the

recommendations in the “5.1 Create a DiskPart script” in Basic Windows Deployment Step-by-

Step Guide.

For more information about how MDT creates disk partitions, see the section, “Review the

Default Partition Configuration Created by MDT,” in the MDT document Using the Microsoft

Deployment Toolkit. Repartitioning of targeted devices in refresh device deployment scenarios is

discussed in the sections for each MBAM client deployment method.

TPM and MBAM client deployment

The TPM is a microchip that stores the private portion of security keys that are kept separate

from the memory that the operating system controls. BitLocker uses these keys to encrypt data.

BitLocker and MBAM have the following dependencies on the TPM:

The TPM must be physically enabled. The TPM must be physically enabled on the targeted

device before BitLocker and MBAM can use it. Enabling the TPM by using the BIOS or UEFI

on the device or by using scripts to automate the process.

http://technet.microsoft.com/en-us/library/hh825212.aspx





Have MBAM take ownership of the TPM. Taking ownership of the TPM allows MBAM to

provide users with a file they can use to reset the TPM on their device. However, it is not

required that MBAM own the TPM. Windows can automatically provision and take

ownership of the TPM, which allows the TPM management within Windows. If Windows

owns the TPM, MBAM will be unable to help users reset the TPM on their device.

Enable the TPM

BitLocker requires that the TPM be physically enabled on the device prior to protecting any fixed

or removable drives on the managed device. In some cases, the TPM can be disabled in the BIOS

or UEFI, which will prevent BitLocker and MBAM from accessing its functionality. The software

and process for enabling TPM at the hardware level is unique for each device hardware

manufacturer and sometimes within models. For fully automated deployment, such as MDT or

System Center Configuration Manager, ensure that the TPM for the device is physically enabled

within the BIOS or UEFI prior to image deployment.

In addition, enabling the TPM may require that the administrator

password for the BIOS or UEFI be configured. Some hardware vendor

tools allow you to temporarily set the administrator password, enable the

TPM, and then remove the password. Please consult the documentation

from the hardware vendor specific to the BIOS or UEFI for the device.

Most hardware vendors provide software that allows you to enable the TPM from the command

line. For information about the software for enabling a TPM from a command line, contact each

specific hardware vendor.

For information on how to run the software to enable the TPM from a command line for each

deployment method, see the step for enabling the TPM on targeted devices in the following

sections:


LTI in MDT 2012

ZTI and UDI in MDT 2012

System Center 2012 Configuration Manager


Scripted installation

Set the ownership of the TPM

The TPM can have only one owner. Configure TPM ownership based on the operating system on

the target device. Table 6 lists the operating systems and the recommendation for configuring

TPM ownership.

Table 6. Operating systems and ownership of the TPM

Operating system Ownership

Windows 8 Use only one of the following :

MBAM owns the TPM. If MBAM has ownership, then

MBAM can be used to help reset the TPM.

Windows 8 owns the TPM. If Windows 8 has ownership,

then the user can use Windows 8 to help reset the TPM.

Windows 7 MBAM owns the TPM, which allows MBAM can be used to

help reset the TPM.

TPM and BitLocker pre-provisioning

BitLocker pre-provisioning enables BitLocker encryption for a drive volume prior to Windows

operating system deployment. BitLocker pre-provisioning occurs while in the Windows

Preinstallation Environment (Windows PE) version 4.0 by using the Manage-bde.exe BitLocker

command-line utility. Automated operating system deployment methods, such as MDT and

System Center 2012 Configuration Manager with SP1 automatically preform BitLocker pre-

provisioning for Windows 8 and Windows 7 if the TPM is enabled.

To perform BitLocker pre-provisioning, the TPM must be enabled by one of the following

methods:


Manually configuring the BIOS or UEFI. This method requires that the user performing

the deployment manually enable the TPM in the BIOS or UEFI. After the TPM is manually

enabled, the operating system deployment can go on as normal.

Automatically by running a script or other software. Most device vendors have

scripts or software that allows you to enable the TPM automatically. However, these

scripts or other software may need to run in a full Windows operating system (not in

Windows PE). In instances where the script or software is unable to run in Windows PE

and you require fully automated deployment, you cannot use BitLocker pre-provisioning.

If you cannot use BitLocker pre-provisioning, you must enable BitLocker after the operating

system is deployed and the full operating system is running. The length of time to encrypt after

the operating system is deployed depends on the operating system, as shown in Table 7.

Table 7. Operating system and encryption behavior after the operating

system is deployed

Operating system Encryption behavior

Windows 8 Can use the Used Disk Space Only feature to reduce the

amount of time needed to encrypt the drive. This is the

default behavior for MDT task sequences.

Windows 7 Can only encrypt the entire volume, which will take longer

than the Used Disk Space Only feature in Windows 8.

Configure the MBAM client to immediately initiate encryption during

task sequences

If you deploy the MBAM client during operating system deployment, that client does not

immediately initiate encryption by default, because the MBAM client is typically configured by

Group Policy settings. That configuration occurs after the operating system is deployed and the

user starts it for the first time. As a result, the targeted device may be in an unprotected state

the first time the user starts the device, and MBAM will not have saved the recovery keys and

other secrets.


To ensure that devices are in a fully protected state and that MBAM has saved the recovery keys,

configure the MBAM client to immediately initiate encryption during the operating system task

sequence.

Configuring the MBAM client to immediately initiate encryption during a

task sequence is applicable only when the MBAM client is being deployed

as part of operating system deployment. However, you could also

perform these steps manually on an existing device and immediately

initiate encryption and the saving of recovery keys in MBAM.

Step 1: Create the registry import files

You must create the following registry import files:

AddMBAMRegEntries.reg. This file adds the necessary registry entries to configure the

MBAM client to immediately initiate BitLocker encryption and store the recovery keys in

MBAM.

RemoveMBAMRegEntries.reg. This file removes the registry entries that the

AddMBAMRegEntries.reg file adds. After this file runs, the registry will be ready for

normal configuration by using the MBAM Group Policy settings.

To create a registry import file that configures the MBAM client to immediately initiate

encryption during a task sequence

1. Install the MBAM client on a device that has not yet been encrypted.

2. Stop the MBAM client by typing the following command at an elevated command

prompt:

NET STOP MBAMAGENT

3. Import the registry template file MBAMDeploymentKeyTemplate.reg located in \Program

Files\Microsoft\MDOP.


4. Start RegEdit.exe, and make the following registry changes in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM:

a. Modify the KeyRecoveryServiceEndPoint registry setting to use the URL for

your MBAM server.

b. Add a new key NoStartupDelay as a DWORD with a value of 1.

5. Export the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM registry subkey to

the AddMBAMRegEntries.reg file by using RegEdit.exe.

To create a registry import file that removes the MBAM registry entries

1. Copy the AddMBAMRegEntries.reg file to the RemoveMBAMRegEntries.reg file.

2. In Microsoft Notepad, make the following changes to the RemoveMBAMRegEntries.reg

file, and then save the file:

a. Leave the "Installed"=dword:00000001 line untouched.

b. For all other registry keys in the file, replace everything after the equal sign (+)

with a minus sign (−).

For example, change “NoStartupDelay”=dword:00000001 to

“NoStartupDelay”=-.

For more information on how to create registry files, see How to add, modify, or delete registry

subkeys and values by using a registration entries (.reg) file.

Step 2: Create a script to automate the MBAM client immediately initiating encryption

Create a script to automate the MBAM client immediately initiating encryption during a task

sequence. You can create such a script by using either Windows PowerShell or Microsoft Visual

Basic Scripting Edition (VBScript). You run this script in the task sequence for your automated

deployments in MDT or System Center Configuration Manager.

The high-level steps that the script must perform are as follows:

1. Determine whether the MBAM client has been installed.

2. Stop the MBAM client service.

3. Import the AddMBAMRegEntries.reg file to the registry.

http://support.microsoft.com/kb/310516

http://support.microsoft.com/kb/310516


4. Start the MBAM client service.

5. Verify that encryption has started on the desired disk volume.

6. Import the RemoveMBAMRegEntries.reg file.

7. Restart the MBAM client service.

For an example of how to implement a script that performs these functions, see the section,

“Automating the process with a script,” in the TechNet article, Using MBAM to start BitLocker

Encryption in a Task Sequence.

Step 3: Add a task sequence step to run the script

You must add a task sequence step to run the script immediately after the task sequence step to

install the MBAM client. The type of task sequence step you add is based on how you created

the script. For example, if you created the script by using Windows PowerShell, then add a Run

PowerShell Script task sequence step. If you used VBScript, then add a Run Command Line

task sequence step.


You can install a 64-bit or 32-bit version of MBAMClient.msi by using Group Policy software

installation. (You cannot run MbamClientSetup.exe with Group Policy.) You must create a

network share for the MBAM client installation files, and then create a GPO that installs the

appropriate Windows Installer package file on each computer.

To target MBAM client installation, link the GPO to specific OUs, use security filtering, or use

Windows Management Instrumentation (WMI) filtering. For example, you can filter the GPO to

target computers in a particular security group or computers that are running Windows 8 or

Windows 7.

You cannot use command-line options when you use Group Policy to

deploy the MBAM client. In this scenario, the easiest way to configure the

MBAM client is to use the MBAM Client Policy administrative template.

Alternatively, you can create a transform for the MBAM client Windows

Installer package files and apply that transform when you create the GPO.

http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx


Step 1: Ensure that partitions on targeted devices are configured for BitLocker

Before you can enable encryption with MBAM, you must ensure that the partitions on the

targeted devices are configured properly for BitLocker deployment. Group Policy software

installation–based deployments are always performed on devices where the operating system

has been deployed. Ensure that the partitions on the targeted devices are configured properly

for BitLocker deployment, as described in the section, BitLocker partition configuration

requirements in this guide.

If the partitions on a targeted device are not configured properly for

BitLocker deployment, consider refreshing the operating system on the

device to create the proper partitions. For more information, see the

section Lite Touch Installation in MDT 2012 or Zero Touch Installation and

User-Driven Installation in MDT 2012.

Step 2: Enable the TPM on targeted devices

Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices.

The process for enabling the TPM is different for each device manufacturer and sometimes even

across models within a device manufacturer. The high-level process for automatically enabling

the TPM is as follows:

1. Package the vendor-specific software for enabling TPM as an .msi package.

In some instances, the vendor-specific software may be scripts and cannot be easily

packaged as an .msi file. In these instances, use one of the other methods for enabling

TPM.

2. Create a network shared folder that contains the .msi package created in the previous

step.

3. Create a GPO to install the .msi package (such as Enable TPM Policy).

4. Configure the existing MBAM client installation GPO (MBAM Client Installation) to use a

WMI query to determine whether the TPM is enabled on targeted devices.

5. Target the Enable TPM Policy GPO for different processor versions (64 bit or 32 bit), if

applicable.

6. Link the Enable TPM Policy GPO to the appropriate OUs.


Step 3: Share the installation files

You must create a network share that contains the MBAM client Setup files. This network share

must be accessible to all computers on which you want to install the MBAM client. Grant Read

access to the Domain Computers group or to the Authenticated Users group.

To create and share a folder for the MBAM client installation files

1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and

MBAM Client Setup is the name of the folder you are creating to contain the MBAM client

installation files.

2. Configure NTFS file system permissions for the folder MBAM_Client_Setup, as Table 8

describes. To configure NTFS file system permissions, right-click the folder, click

Properties, and then click Advanced on the Security tab.

Table 8. NTFS file system permissions for the MBAM client setup

folder

Account Permissions Applies to

Administrators Full control This folder, subfolders, and files

Authenticated Users Read and Execute This folder, subfolders, and files

3. Share the folder MBAM_Client_Setup by using the permissions that Table 9 describes. To

configure share permissions, right-click the folder, click Properties, and then click the

Sharing tab.

Table 9. Share permissions for the MBAM client setup folder

Account Permissions

Authenticated Users Read


4. Copy the \MBAM\Installers\2.0 folder structure from the MBAM distribution media to

\\SERVER\MBAM_Client_Setup.

The \MBAM\Installers\2.0 folder structure includes the x64 and x86 folders, which

contain the 64-bit and 32-bit versions of the MBAM client, respectively. Copy the entire

\MBAM\Installers\2.0 folder structure so that both versions are available for deployment.

Step 4: Create a GPO to install the MBAM client

You create GPOs by using the Group Policy Management Console (GPMC) on a server or on a

client running the Remote Server Administration Tools. You can create a GPO that installs only

the MBAM client, or you can configure the MBAM client by using the same GPO to keep all of

your MBAM policies in one location. The steps in this section install both the x64 and x86 agents

by using a single GPO, allowing Group Policy to determine the correct version to install.

To create and edit a GPO to deploy the x64 and x86 MBAM client

1. In the GPMC, create a new GPO for MBAM client installation (e.g., MBAM Client

Installation):

a. Right-click Group Policy Objects under Forest\Domains\Domain, and then click

New.

b. In the Name box, type MBAM Client Installation, and then click OK.

2. In the navigation pane, right-click MBAM Client Installation, and then click Edit.

3. In the Group Policy Management Editor, right-click Software Installation in Computer

Configuration\Policies\Software Settings, point to New, and then click Package.

4. In File name, type the Universal Naming Convention (UNC) path and name of the 64-bit

version of MBAMClient.msi in the x64 folder, and then click Open.

Make sure you open the file from the network share you created earlier and not from a

local path.

5. In the Deploy Software dialog box, click Advanced, and then click OK.

6. In the Name box on the General tab of the MDOP MBAM Properties dialog box,

append x64 to the end of the name, and then click OK.


This will help you to distinguish between the x86 and x64 versions later.

7. In the Group Policy Management Editor, right-click Software Installation in Computer

Configuration\Policies\Software Settings, point to New, and then click Package.

8. In File name, type the UNC path and name of the 32-bit version of MBAMClient.msi in

the x86 folder, and then click Open.

Make sure you open the file from the network share you created earlier and not from a

local path.

9. In the Deploy Software dialog box, click Advanced, and then click OK.

10. In the MDOP MBAM Properties dialog box, complete the following steps, and then

click OK:

a. On the General tab, in the Name box, append x86 to the end of the name.

b. On the Deployment tab, click Advanced; then, clear the Make this 32-bit X86

application available to Win64 machines check box and click OK.

Clearing this check box prevents Group Policy from installing the 32-bit MBAM client

on 64-bit operating systems, ensuring that the correct version of the MBAM client is

installed for each system type.

11. Close the Group Policy Management Editor.

Step 5: Link the GPO to OUs

You must link the MBAM Client Installation GPO to OUs to install the agent on the computers in

those OUs. You can link the GPO to individual OUs. If the computers you want to target for

installation are in multiple OUs, you can link the GPO to the domain and use security or WMI

filtering to limit installation to specific computers, types of computers, or Windows versions,

which is discussed in the section, “Step 6: Optionally target the GPO.”

To link the GPO to an OU

1. In the GPMC, right-click the OU to which you want to link the MBAM Client Installation

GPO, and then click Link an Existing GPO.

2. In the Group Policy objects list in the Select GPO dialog box, click MBAM Client

Installation, and then click OK.


Step 6: Optionally target the GPO

When you link the MBAM Client Installation GPO to an OU, Group Policy applies the GPO to all

computers in that OU, installing the MBAM client on them. In some cases, however, this might

not be desirable. You can target MBAM client deployment to specific computers within an OU

by using security or WMI filtering. See Table 10 for more information.

Table 10. Filtering the MBAM Client Installation GPO

Method Description

Security

filtering

This filtering method allows you to target specific computers based on

membership in AD DS security groups. The members of the security group

can be computer objects or other security groups containing computer

objects. You control the deployment of the MBAM client to specific

computers by adding or removing them from the security group. For more

information about security filtering, see Filter Using Security Groups.

WMI

filtering

This filtering method allows you to target specific computers based on a

WMI query. For example, you could use a WMI query to target the

operating system version on computers and deploy the MBAM client only

if the operating system is Windows 8 or Windows 7.

You create a WMI filter separately, and then link the WMI filter to the GPO

that you created to deploy the MBAM client. For more information about

WMI filtering and how to create a WMI filter, see Work with WMI Filters.

Lite Touch Installation in MDT 2012

You can deploy the MBAM client during operating system deployment by using the Lite Touch

Installation (LTI) process in MDT. You do this as part of the LTI process by adding the client

installation files as an application, and then adding an Install Application step for the agent to

your existing operating system deployment task sequences.

By installing the MBAM client as part of the operating system deployment task sequence, MDT

installs the client automatically, which ensures that that the encryption is started or completed

http://technet.microsoft.com/en-us/library/cc752992.aspx

http://technet.microsoft.com/en-us/library/cc732796.aspx


before users receive their device and is protected before they start the device for the first time.

The MBAM client will be ready for use before users log on to the device for the first time.

Windows 8 includes the BitLocker Used Disk Space Only encryption

feature, which encrypts only the disk space currently in use instead of the

entire disk volume. This feature dramatically reduces the time required to

encrypt a disk volume.

By default, MDT automatically performs Used Disk Space Only encryption

when enabling BitLocker for Windows 8 deployments to reduce the

length of time required to deploy Windows 8.

The following sections describe the steps necessary to complete each task in the Deployment

Workbench:

1. Ensure that partitions on targeted devices are configured for BitLocker.

2. Enable the TPM on targeted devices.

3. Add the MBAM client to the Applications node of your deployment share.

4. Configure the MBAM client application to hide it from users in the Deployment Wizard.

5. Add an Install Application step to your existing operating system task sequences.

6. Configure the MDT BitLocker-related configuration settings.

7. Immediately initiate encryption by using the MBAM client during tasks sequences.

For more information about using MDT to install applications during

operating system deployment, see the MDT documentation.



Before you can enable with MBAM, ensure that the partitions on the targeted devices are

configured properly for BitLocker deployment. For new devices or for devices that are being

replaced, MDT automatically creates the necessary partitions to support BitLocker. When

refreshing an existing device, LTI automatically resizes and creates the necessary partitions to

support BitLocker, if there is sufficient available disk space.


Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices.

The scripts or software for enabling the TPM are different for each device manufacturer and

sometimes even across models within a device manufacturer.

By default, LTI performs BitLocker pre-provisioning for new device, refresh device, and replace

device deployment scenarios. BitLocker pre-provisioning occurs while the target device is

running Windows PE in the Preinstall phase of the task sequence. If the scripts or software for

enabling the TPM can:

Run in Windows PE, then you can support BitLocker pre-provisioning

Only run in a Windows operating system, then you must either:

Manually enable the TPM to support BitLocker pre-provisioning

Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but

still as a part of the task sequence

For more information on the TPM and BitLocker pre-provisioning, see TPM and BitLocker pre-

provisioning.

To automatically enable the TPM and support BitLocker pre-provisioning by using scripts

or software that can run in Windows PE

1. Create a network shared folder that contains the vendor-specific software for enabling the

TPM.

2. Create an MDT application that contains the software in the previous step.

3. Install the application by using the Install Application task sequence step.

Place the Install Application task sequence step in the Preinstall group immediately before

the Enable BitLocker (Offline) task sequence step.


To automatically enable the TPM by using scripts or software that can run only in a

Windows operating system (no BitLocker pre-provisioning support)


TPM.



Place the Install Application task sequence step in the State Restore group immediately

before the Enable BitLocker task sequence step.

For more information on enabling the TPM, see Enable the TPM.

Step 3: Add the MBAM client application

When you add an application to your MDT deployment share, you must specify the command

that installs it. Running MbamClientSetup.exe is the simplest way to start MBAM client

installation with MDT. You must run the 64-bit or 32-bit version of MbamClientSetup.exe, based

on the target operating system version.

The command you specify for MBAM client installation must include the /q command-line

option to perform an unattended installation. This option runs MbamClientSetup.exe with no

user interaction. If you do not include this command-line option, the Setup program stalls the

deployment process to wait for user interaction.

To add the MBAM client to your deployment share

1. In the Deployment Workbench, click Applications under Deployment

Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the

name of your deployment share).

2. In the Actions pane, click New Application.


3. Complete each page of the New Application Wizard:

Page Steps

Application Type 1. Click Application with source files.

2. Click Next.

Select the Application without source files or elsewhere on

the network check box if you already have the installation files

in a network share. For more information, see the section,

“Create a New Application That Is Deployed from Another

Network Share,” in the MDT documentation.

Details 1. In the Application Name box, type MBAM Client 64-bit.

2. Click Next.

The remaining text boxes on this page are optional and

informational only. Although they do not affect deployment of

the MBAM client, completing the remaining text boxes can

prove useful later when you are maintaining the deployment

share.

Source 1. In the Source directory box, type the path of the

\MBAM\Installers\2.0\x64 folder that contains

MbamClientSetup.exe.

The Source directory box supports autocomplete, but you

can click Browse to locate the files.

2. Click Next.


Page Steps

Destination 1. In the Specify the name of the directory that should be

created box, optionally edit the name of the folder that the

New Application Wizard will create in the deployment share.

The wizard suggests a name based on the publisher, name,

and version that you provided on the Details page.

2. Click Next.

Command Details 1. In the Command line box, type the command you want to

run to install the MBAM client—for example:

MbamClientSetup.exe.exe /q

2. Click Next.

Summary 1. In the Details area, review the information that the Add New

Application Wizard collected.

2. Click Next.

Progress 1. Monitor the wizard’s progress as it adds the application to

your deployment share.

Confirmation 1. Review the results, and then click Finish.

If you also need to deploy the 32-bit version of MbamClientSetup.exe, repeat the New

Application Wizard, changing the following:

In step 1, in Application Name, type MBAM Client 32-bit.

In step 3, browse to the \MBAM\Installers\2.0\x86 folder.


Step 4: Configure the application

After adding the application to your MDT deployment share, configure it to hide the application

in the Deployment Wizard from users so they cannot prevent installation during deployment by

selecting the Hide this application in the Deployment Wizard check box. Hiding the

application prevents the user from selecting the application, which could create errors in the

deployment process, because the application would try to install twice and one installation

would return a failure code.

To customize the MBAM client in your deployment share

1. In the Applications node of the deployment share, right-click the MBAM client

application that you previously added, and then click Properties.

2. On the General tab of the application’s Properties dialog box, select the Hide this

application in the Deployment Wizard check box.

3. Click OK.

Step 5: Edit task sequences

Install the MBAM client application during operating system deployment by adding it to task

sequences. By adding the MBAM client to your existing task sequences, you can install the agent

automatically, with no interaction from the user. This method helps to ensure that the MBAM

client is available immediately, before users log on to the computer.

To install the MBAM client in an LTI task sequence

1. In the Deployment Workbench, click Task Sequences under Deployment

Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the

name of your deployment share).

2. In the results pane, right-click the task sequence to which you want to add the MBAM

client, and then click Properties.

3. On the Task Sequence tab of the task sequence’s Properties dialog box, click the Install

Applications task sequence step.

This step is in the State Restore group. The task sequence editor adds the new task

sequence step immediately after this step.

4. From the Add menu, click General, and then click Install Application.


5. Click the new Install Application task sequence step that you just added, then perform

the following steps:

a. In the Name box, type Install the MBAM Client.

b. Click Install a single application, click Browse, click the MBAM client application

in the Select An Item dialog box, and then click OK.

c. Optionally, on the Options tab, select the Continue on error check box. Select

this check box only if you want the task sequence to continue running if the

MBAM client fails to install during operating system deployment.

Click OK to close the task sequence’s Properties dialog box.

Step 6: Configure MDT BitLocker-related settings

You can configure BitLocker-related settings by using one the following methods in LTI:

MDT properties specified in the CustomSettings.ini file or the MDT database (MDT DB)

The benefit of this method is that you can prevent configuration errors by making the

configuration settings in advance. This allows you to bypass the BitLocker page in the

Deployment Wizard. The following are the MDT properties that you must set to fully

automate BitLocker configuration for LTI deployments and bypass the BitLocker page:

BDEDriveLetter

BDEDriveSize

BDEInstall

BDEInstallSuppress

BDERecoveryKey

TPMOwnerPassword

OSDBitLockerStartupKeyDrive

OSDBitLockerWaitForEncryption

For more information these MDT properties, see the corresponding sections in the MDT

document Toolkit Reference.


The BitLocker page in the Deployment Wizard (shown in Figure 5)

The benefit of this method is that you can provide the BitLocker configuration settings at the

time of deployment. This allows the user performing the deployment to make BitLocker

configuration changes as required on a device-by-device basis at the time of deployment.

Figure 5. The BitLocker page in the Deployment Wizard

Step 7: Add a task sequence step to immediately initiate encryption by using the MBAM

client

By default, the MBAM client initiates encryption and saves the recovery keys when configured by

the MBAM Group Policy settings. However, this can leave the device in an unprotected state for

a period of time.


You can configure the MBAM client to immediately initiate encryption in a task sequence step.

For more information on how to do this, see Configure the MBAM client to immediately initiate

encryption during task sequence.

Zero Touch Installation and User-Driven Installation in MDT 2012

You can deploy the MBAM client by using the application model in System Center 2012

Configuration Manager. You create applications in the Applications node of the Configuration

Manager console. By using System Center 2012 Configuration Manager, you can use a single

deployment tool to install the MBAM client on existing computers as well as during operating

system deployment:

Deployment to existing computers. This method deploys the MBAM client to targeted

computers that already exist or deploys the MBAM client immediately after operating

system deployment is complete. The advantage of this method is that it covers both

scenarios (existing computers and new computers). This process will be discussed in the

section, System Center 2012 Configuration Manager Application Model.

Installation during operating system deployment. This method installs the MBAM

client during operating system deployment so that the agent is immediately available.

The benefit of this method is that the encryption can be started or completed before

users receive their device, and the device is protected before the user starts it for the first

time. After you create the application in the Configuration Manager console, simply add

an Install Application step to the operating system deployment task sequence. This

process is discussed in this section.

You can deploy the MBAM client during operating system deployment by using the Zero Touch

Installation (ZTI) and User-Driven Installation (UDI) processes in MDT. You do this by adding the

client installation files as an application, and then adding an Install Application step for the

agent to your existing operating system deployment task sequences.

By installing the MBAM client as part of the operating system deployment task sequence, ZTI

and UDI install the client automatically, which ensures that that the encryption is started or

completed before users receive their device and the device is protected before users starts it for

the first time.. The MBAM client will be ready for use before users log on to the device for the

first time.


Windows 8 includes the BitLocker Used Disk Space Only encryption

feature, which encrypts only the disk space currently in use instead of the

entire disk volume. This feature dramatically reduces the time required to

encrypt a disk volume.

By default, MDT automatically performs Used Disk Space Only encryption

when enabling BitLocker for Windows 8 deployments to reduce the

length of time required to deploy Windows 8.

The following tasks describe the steps necessary to complete each task:

1. Ensure that partitions on targeted devices are configured for BitLocker.

2. Enable the TPM on targeted devices.

3. Create and share a content folder for the MBAM client installation files.

4. Create a System Center 2012 Configuration Manager application for the MBAM client

installation.

5. Distribute the System Center 2012 Configuration Manager application to the distribution

points.

6. Deploy the System Center 2012 Configuration Manager application to the targeted

computers.

7. Add an Install Application step to your existing operating system task sequences.

8. Configure the MDT BitLocker-related configuration settings.

9. Immediately initiate encryption by using the MBAM client during tasks sequences.


For more information about using MDT to install applications during

operating system deployment, see the MDT documentation.


Before you can use MBAM, you need to ensure that the partitions on the targeted devices are

configured properly for BitLocker deployment. For new devices or devices that are being

replaced, MDT automatically creates the necessary partitions to support BitLocker. When

refreshing an existing device, MDT automatically resizes and creates the necessary partitions to

support BitLocker (if there is sufficient available disk space) after the operating system has been

deployed in the State Restore group.

If you want ZTI and UDI to automatically create the appropriate partitions

for the refresh device deployment scenario in ZTI and UDI, perform a

replace device deployment scenario, and treat the existing device as the

original and replacement device. In this way, you back up the user state

from the device, wipe the device, deploy the operating system, and then

restore the user state to the device. Ensure that you store the user state in

a network shared folder or in local storage on a disk other than where the

operating system will be deployed.


Before you deploy the MBAM client to the targeted devices, enable the TPM on the devices. The

scripts or software for enabling the TPM are different for each device manufacturer and

sometimes even different across models within a device manufacturer.

By default, ZTI and UDI task sequences perform BitLocker pre-provisioning for new device and

replace device deployment scenarios. BitLocker pre-provisioning occurs while the target device

is running Windows PE in the Preinstall phase of the task sequence. If the scripts or software for

enabling the TPM can:


Run in Windows PE, then you can support BitLocker pre-provisioning

Run only in a Windows operating system, you must either:

Manually enable the TPM to support BitLocker pre-provisioning

Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but

still as a part of the task sequence

If you want to use BitLocker pre-provisioning for the refresh device

deployment scenario for ZTI and UDI, perform a replace device

deployment scenario, and treat the existing device as the original and

replacement device. In this way, you back up the user state from the

device, wipe the device, deploy the operating system, and then restore

the user state to the device. Ensure that you store the user state in a

network shared folder or in local storage on a disk other than where the

operating system will be deployed.

For more information on the TPM and BitLocker pre-provisioning, see TPM and BitLocker pre-

provisioning.

To automatically enable the TPM and support BitLocker pre-provisioning by using scripts

or software that can run in Windows PE


TPM.



Place the Install Application task sequence step in the Preinstall group immediately before

the Pre-provision BitLocker task sequence step.

To automatically enable the TPM by using scripts or software that can run only in a

Windows operating system (no BitLocker pre-provisioning support)


TPM.


2. Create an MDT Application that contains the software in the previous step.

3. Install the application created in the previous step by using the Install Application task

sequence step.

Place the Install Application task sequence step in the State Restore group immediately

before the Enable BitLocker task sequence step.

Step 3: Share the installation content

When you create a System Center 2012 Configuration Manager application, you must specify a

source for the application content. The source must be a network share that is accessible to

System Center 2012 Configuration Manager, because System Center 2012 Configuration

Manager uses the contents of the source folder to create the application.

To create and share a folder for the MBAM client installation content


MBAM_Client_Setup is the name of the folder you are creating to contain the MBAM

client installation files.

2. Configure NTFS file system permissions for the folder MBAM_Client_ Setup, as Table 13

describes.

To configure NTFS file system permissions, right-click the folder, click Properties, and

then click Advanced on the Security tab.


folder



Site_Server_Account Read and

Execute

This folder, subfolders, and files




Sharing tab.


Account Permissions

Administrators Full control

Site_Server_Account Full control

4. Copy the \MBAM\Installers\2.0folder structure from the MBAM distribution media to

\\SERVER\MBAM Client Setup.

The \MBAM\Installers\2.0folder structure includes the x64 and x86 folders, which contain

the 64-bit and 32-bit versions of the MBAM client, respectively. Copy the entire

\MBAM\Installers\2.0\folder structure so that both versions are available for deployment.

Step 4: Create the MBAM client application

When you create a System Center 2012 Configuration Manager application, you must specify

the command that installs it. Although you could run MbamClientSetup.exe to install the MBAM

client, MBAMClient.msi requires less effort because of automatic detection of product codes and

other application settings. Creating applications in System Center 2012 Configuration Manager

is based on MSI files, which:

Allow System Center 2012 Configuration Manager to detect whether the application is

already installed

Use a well-known System Center 2012 Configuration Manager deployment type

Simplify the ongoing management of the MBAM client by simplifying updates

To create the MBAM client application in System Center 2012 Configuration Manager

1. In the Configuration Manager console, click the Software Library workspace.


2. In the Software Library workspace, click Applications in Overview\Application

Management.

3. In the Create group on the Ribbon, click Create Application.

4. Complete each page of the Create Application Wizard:

Page Steps

General 1. Click Manually specify the application information.

2. Click Next.

General: General

Information

1. In the Name box, type MBAM Client.

2. Select the Allow this application to be installed from the

Install Application task sequence action without being

deployed check box.

Selecting this check box allows you to use task sequence

variables to install the MBAM client.

3. Click Next.


informational. Although they do not affect the deployment of

the MBAM client, completing them can prove useful later when

you are maintaining the deployment share.

General:

Application

Catalog

1. Click Next.

The text boxes on this page are optional and prompt for

information that you want to display in the application catalog.

However, this deployment guide recommends that you hide the

MBAM client from the application catalog.

General: 1. Click Add to add a deployment type for the 64-bit version of


Page Steps

Deployment Types the MBAM client (MBAMClient.msi in the

\MBAM\Installers\2.0\x64 folder).

2. On the General page of the Create Deployment Type

Wizard, click Browse, open MBAMClient.msi from the

location in which you shared the installation sources

(e.g., \\SERVER\MBAM_Client_Setup), and then click Next.

3. On the Import Information page of the Create Deployment

Type Wizard, click Next.

4. On the General Information page of the Create

Deployment Type Wizard, perform the following steps:

a. In the Name box, append x64 to the end of the

name for easier identification later.

b. In the Installation program box, add /q to the end

of the command.

c. Click Next.

5. On the Requirements page of the Create Deployment Type

Wizard, perform the following steps:

a. Click Add.

b. Click Operating system in the Condition list.

c. In the operating system list, select All Windows 7

(64-bit) and All Windows 8 (64-bit). (Select the 64-

bit operating systems that you want to support.)

d. Click OK.

e. Click Next.

6. On the Dependencies page of the Create Deployment Type

Wizard, click Next.

7. On the Summary page of the Create Deployment Type


Page Steps

Wizard, review the deployment type details, and then click

Next.

8. On the Completion page of the Create Deployment Type

Wizard, click Close.

9. Repeat steps 1 through 8 on this page for the 32-bit version

of the MBAM client (MBAMClient.msi in the

\MBAM\Installers\2.0\x86), and then click Next.

Summary 1. In the Details area, review the information that the Create

Application Wizard collected, and then click Next.

Progress 1. Monitor the progress of the Create Application Wizard while

it creates the application.

Completion 1. Verify that the Create Application Wizard finished

successfully, and then click Close.

Step 5: Distribute the MBAM client application

After creating the MBAM client application in System Center 2012 Configuration Manager, you

must distribute the application content to your distribution points. Targeted computers will

install the MBAM client from the distribution points. You use the Distribute Content Wizard in

the Configuration Manager console to distribute the MBAM client application.

To distribute the MBAM client System Center 2012 Configuration Manager application

1. In the results pane, click MBAM Client.

2. In the Deployment group on the Ribbon, click Distribute Content.

3. Complete each page of the Distribute Content Wizard:


Page Steps

General 1. Click Next.

General: Content 1. Click Next.

General: Content

Destination

1. Click Add, and then click Distribution Point.

2. In the Add Distribution Points dialog box, select the

distribution points to which you want to distribute the

MBAM client installation content, and then click OK.

3. Click Next.

Summary 1. In the Details area, review the information that the

Distribute Content Wizard collected, and then click Next.

Progress 1. Monitor the progress of the Distribute Content Wizard while

it distributes the MBAM client installation content.

Completion 1. Verify that the Distribute Content Wizard finished


After completing the Distribute Content Wizard, verify successful distribution of the installation

content before continuing to deploy the MBAM client application. To do so, click Refresh in the

Application area of the Ribbon. Click MBAM Client in the results pane to see the distribution

status on the Summary tab at the bottom. When the content status shows that content

distribution is successful, you can deploy the MBAM client application.

Step 6: Deploy the MBAM client application

You can deploy the MBAM client application to users or devices. Because the agent is computer-

centric, Microsoft recommends that you deploy it to computer collections—not user collections.


You use the Deploy Software Wizard in the Configuration Manager console to deploy the

MBAM client application after you have successfully distributed it.

To deploy the MBAM client System Center 2012 Configuration Manager application


2. In the Deployment group on the Ribbon, click Deploy.

3. Complete each page of the Deploy Software Wizard:

Page Steps

General 1. Click Browse next to the Collection box.

2. In the Select Collection dialog box, click Device Collections

on the left side; on the right side, click a device collection to

which you want to deploy the MBAM client, and then click

OK.

3. Click Next.

You can choose one of the built-in collections or your own

collection. For more information about creating collections in

System Center 2012 Configuration Manager, see the TechNet

article, How to Create Collections in Configuration Manager.

Content 1. Click Next.

Deployment

Settings

1. In the Purpose list, click Required.

2. Click Next.

Selecting Required in the Purpose list forces installation of the

MBAM client application on targeted computers. System

Center 2012 Configuration Manager also reinstalls the agent if

users remove it.



Page Steps

Scheduling 1. Click Next.

User Experience 1. In the User notifications list, click Hide in Software Center

and all notifications.

2. Click Next.

Selecting Hide in Software Center and all notifications

prevents System Center 2012 Configuration Manager from

notifying users about the installation of the MBAM client. This

recommended setting prevents any user interaction or

interference with deployment.

Alerts 1. Click Next.

Summary 1. In the Details area, review the information that the Deploy

Software Wizard collected, and then click Next.

Progress 1. Monitor the progress of the Deploy Software Wizard while it

deploys the MBAM client application.

Completion 1. Verify that the Deploy Software Wizard finished successfully,

and then click Close.

Step 7: Edit task sequences

Install the MBAM client application during operating system deployment by adding the MBAM

client application to existing task sequences. In this way, you can install the client automatically,

with no interaction or interference from users. Doing so helps to ensure that the MBAM client is

available immediately, before users log on to the computer.


To install the MBAM client in a System Center 2012 Configuration Manager task sequence


2. In the Software Library workspace, click Task Sequences in Overview\Operating Systems.

3. In the results pane, right-click the task sequence to which you want to add the MBAM

client, and then click Edit.

4. Click the Install Applications group under the State Restore group. The task sequence

editor adds the new step in this group.

5. From the Add menu, click General, and then click Install Application.

6. Click the new Install Application task sequence step that you just added, then perform

the following steps:

a. In the Name box, type Install the MBAM Client.

b. Click New (the button that looks like a star), click the MBAM client application in

the Select The Application To Install dialog box, and then click OK.

c. Optionally, on the Options tab, select the Continue on error check box.

Select this check only if you want the task sequence to continue running if the

MBAM Client fails to install during operating system deployment.

7. Click OK to close the Task Sequence Editor dialog box.

Step 8: Configure MDT BitLocker-related settings

You can configure BitLocker-related settings by using one the following methods in MDT:

MDT properties specified in the CustomSettings.ini file or the MDT DB

This method must be used in ZTI deployments. You can use this method for UDI

deployments to help prevent configuration errors by making the configuration settings in

advance. Doing so allows you to bypass the BitLocker page in the UDI Wizard. The following

are the MDT properties that you must set to fully automate BitLocker configuration for ZTI

deployments or bypass the BitLocker page in the UDI Wizard for UDI deployments:

BDEDriveLetter


BDEDriveSize

BDEInstall

BDEInstallSuppress

BDERecoveryKey

TPMOwnerPassword

OSDBitLockerStartupKeyDrive

OSDBitLockerWaitForEncryption

For more information on these MDT properties, see the corresponding sections in the MDT

document Toolkit Reference.

BitLocker page in the UDI Wizard (as shown in Figure 6)

The benefit of this method is that you can provide the BitLocker configuration settings at the

time of deployment. This allows the user performing the deployment to make BitLocker

configuration changes as required on a device-by-device basis at the time of deployment.


Figure 6. BitLocker Page in the UDI Wizard

Step 9: Add a task sequence step to immediately initiate encryption by using the MBAM

client

By default, the MBAM client initiates encryption and saves the recovery keys when configured by

the MBAM Group Policy settings. However, this process can leave the device in an unprotected

state for a period of time.

You can configure the MBAM client to immediately initiate encryption in a task sequence step.

For more information on how to do this, see Configure the MBAM client to immediately initiate

encryption during task sequence.


System Center 2012 Configuration Manager Application Model

You can deploy the MBAM client by using the application model in System Center 2012

Configuration Manager. You create applications in the Applications node of the Configuration

Manager console. By using System Center 2012 Configuration Manager, you can use a single

deployment tool to install the MBAM client on existing computers as well as during operating

system deployment:

Deployment to existing computers. This method deploys the MBAM client to targeted

computers that already exist or deploys the MBAM client immediately after operating

system deployment is complete. The advantage of this method is that it covers both

scenarios (existing computers and new computers). This process is discussed in this

section.

Installation during operating system deployment. This method installs the MBAM

client during operating system deployment so that the agent is immediately available.

The benefit of this method is that the encryption can be started or completed before

users receive their device, and the device is protected before the user starts it for the first

time. After you create the application in the Configuration Manager console, simply add

an Install Application step to the operating system deployment task sequence. This

process was discussed in the section, Zero Touch Installation and User-Driven Installation

in MDT 2012.

You can also deploy the MBAM client by using the package and program

feature in System Center Configuration Manager 2007. For more

information on how to deploy software using the package and program

feature, see Tasks for Software Distribution.

The following sections describe the steps necessary to complete each task in the Configuration

Manager console:

1. Ensure that the partitions on the targeted devices are configured for BitLocker.

2. Enable the TPM on targeted devices (if not already enabled).

3. Create and share a content folder for the MBAM client installation files.



4. Create a System Center 2012 Configuration Manager application for the MBAM client

installation.

5. Distribute the System Center 2012 Configuration Manager application to the distribution

points.

6. Deploy the System Center 2012 Configuration Manager application to the targeted

computers.

You can automate the steps listed above by creating a custom System

Center Configuration Manager task sequence. For more information, see

the section, “To create a custom task sequence,” in the TechNet article

How to Create Task Sequences.

For more information about using System Center 2012 Configuration Manager to deploy

applications, see the Microsoft TechNet article, System Center Technical Resources.


Before you can enable with MBAM, ensure that the partitions on the targeted devices are

configured properly for BitLocker deployment. Because this section focuses on deploying the

MBAM client on existing devices, the deployment is always performed on devices where the

operating system has been deployed. Ensure that the partitions on the targeted devices are

configured properly for BitLocker deployment as described in the section, BitLocker partition

configuration requirements in this guide.






http://technet.microsoft.com/en-us/library/hh273490.aspx#BKMK_CreateTaskSequence

http://technet.microsoft.com/systemcenter



Before you deploy the MBAM client to the targeted devices, enable the TPM on the devices. You

can manually enable the TPM on the targeted devices or automate enabling the TPM on the

targeted devices by using scripts or software. The scripts or software for enabling the TPM are

different for each device manufacturer and sometimes even different across models within a

device manufacturer.

To automatically enable the TPM by using scripts or software


TPM.

2. Create a System Center 2012 Configuration Manager application that contains the

software in the previous step.

3. Distribute the application to the distribution points.

4. Deploy the application to the appropriate user or device collections.

Step 3: Share the installation content

When you create a System Center 2012 Configuration Manager application, you must specify a

source for the application content. The source must be a network share that is accessible to

System Center 2012 Configuration Manager, because System Center 2012 Configuration

Manager uses the contents of the source folder to create the application.

To create and share a folder for the MBAM client installation content




2. Configure NTFS file system permissions for the folder MBAM_Client_ Setup, as Table 13

describes.





folder



Site_Server_Account Read and

Execute

This folder, subfolders, and files



Sharing tab.


Account Permissions

Administrators Full control

Site_Server_Account Full control





\MBAM\Installers\2.0\folder structure so that both versions are available for deployment.

Step 4: Create the MBAM client application

When you create a System Center 2012 Configuration Manager application, you must specify

the command that installs it. Although you could run MbamClientSetup.exe to install the MBAM

client, MBAMClient.msi requires less effort because of automatic detection of product codes and


other application settings. Creating applications in System Center 2012 Configuration Manager

is based on MSI files, which:

Allow System Center 2012 Configuration Manager to detect whether the application is

already installed

Use a well-known System Center 2012 Configuration Manager deployment type

Simplify the ongoing management of the MBAM client by simplifying updates

To create the MBAM client application in System Center 2012 Configuration Manager


2. In the Software Library workspace, click Applications in Overview\Application

Management.

3. In the Create group on the Ribbon, click Create Application.

4. Complete each page of the Create Application Wizard:

Page Steps

General 1. Click Manually specify the application information.

2. Click Next.


Page Steps

General: General

Information

1. In the Name box, type MBAM Client.

2. Select the Allow this application to be installed from the

Install Application task sequence action without being

deployed check box.

Selecting this check box allows you to use task sequence

variables to install the MBAM client.

3. Click Next.


informational. Although they do not affect the deployment of

the MBAM client, completing them can prove useful later when

you are maintaining the deployment share.

General:

Application

Catalog

1. Click Next.

The text boxes on this page are optional and prompt for

information that you want to display in the application catalog.

However, this deployment guide recommends that you hide the

MBAM client from the application catalog.

General:

Deployment Types

1. Click Add to add a deployment type for the 64-bit version of

the MBAM client (MBAMClient.msi in the

\MBAM\Installers\2.0\x64 folder).

2. On the General page of the Create Deployment Type

Wizard, click Browse, open MBAMClient.msi from the

location in which you shared the installation sources

(e.g., \\SERVER\MBAM_Client_Setup), and then click Next.

3. On the Import Information page of the Create Deployment

Type Wizard, click Next.

4. On the General Information page of the Create


Page Steps

Deployment Type Wizard, perform the following steps:

a. In the Name box, append x64 to the end of the

name for easier identification later.

b. In the Installation program box, add /q to the end

of the command.

c. Click Next.

5. On the Requirements page of the Create Deployment Type

Wizard, perform the following steps:

a. Click Add.

b. Click Operating system in the Condition list.

c. In the operating system list, select All Windows 7

(64-bit) and All Windows 8 (64-bit). (Select the

64-bit operating systems that you want to support.)

d. Click OK.

e. Click Next.

6. On the Dependencies page of the Create Deployment Type

Wizard, click Next.

7. On the Summary page of the Create Deployment Type

Wizard, review the deployment type details, and then click

Next.

8. On the Completion page of the Create Deployment Type

Wizard, click Close.

9. Repeat steps 1 through 8 on this page for the 32-bit version

of the MBAM client (MBAMClient.msi in the

\MBAM\Installers\2.0\x86), and then click Next.


Page Steps

Summary 1. In the Details area, review the information that the Create

Application Wizard collected, and then click Next.

Progress 1. Monitor the progress of the Create Application Wizard while

it creates the application.

Completion 1. Verify that the Create Application Wizard finished


If you decided to automatically enable the TPM by using a script or

software in Step 2: Enable the TPM on targeted devices, make certain you

set the application created in that step as a dependency for the

deployment type for the application created in this step. For more

information on creating System Center 2012 Configuration Manager

application dependencies, see Step 7: Specify Dependencies for the

Deployment Type on TechNet.

Step 5: Distribute the MBAM client application

After creating the MBAM client application in System Center 2012 Configuration Manager, you

must distribute the application content to your distribution points. Targeted computers install

the MBAM client from the distribution points. You use the Distribute Content Wizard in the

Configuration Manager console to distribute the MBAM client application.

To distribute the MBAM client System Center 2012 Configuration Manager application


2. In the Deployment group on the Ribbon, click Distribute Content.

http://technet.microsoft.com/en-us/library/gg682174.aspx#BKMK_Step7

http://technet.microsoft.com/en-us/library/gg682174.aspx#BKMK_Step7


3. Complete each page of the Distribute Content Wizard:

Page Steps

General 1. Click Next.

General: Content 1. Click Next.

General: Content

Destination

1. Click Add, and then click Distribution Point.

2. In the Add Distribution Points dialog box, select the

distribution points to which you want to distribute the

MBAM client installation content, and then click OK.

3. Click Next.

Summary 1. In the Details area, review the information that the

Distribute Content Wizard collected, and then click Next.

Progress 1. Monitor the progress of the Distribute Content Wizard while

it distributes the MBAM client installation content.

Completion 1. Verify that the Distribute Content Wizard finished


After completing the Distribute Content Wizard, verify successful distribution of the installation

content before continuing to deploy the MBAM client application. To do so, click Refresh in the

Application area of the Ribbon. Click MBAM Client in the results pane to see the distribution

status on the Summary tab at the bottom. When the content status shows that content

distribution is successful, you can deploy the MBAM client application.


Step 6: Deploy the MBAM client application

You can deploy the MBAM client application to users or devices. Because the agent is computer-

centric, Microsoft recommends that you deploy it to computer collections—not user collections.

You use the Deploy Software Wizard in the Configuration Manager console to deploy the

MBAM client application after you have successfully distributed it.

To deploy the MBAM client System Center 2012 Configuration Manager application


2. In the Deployment group on the Ribbon, click Deploy.

3. Complete each page of the Deploy Software Wizard:

Page Steps

General 1. Click Browse next to the Collection box.

2. In the Select Collection dialog box, click Device Collections

on the left side; on the right side, click a device collection to

which you want to deploy the MBAM client, and then click

OK.

3. Click Next.

You can choose one of the built-in collections or your own

collection. For more information about creating collections in

System Center 2012 Configuration Manager, see the TechNet

article, How to Create Collections in Configuration Manager.

Content 1. Click Next.



Page Steps

Deployment

Settings

1. In the Purpose list, click Required.

2. Click Next.

Selecting Required in the Purpose list forces installation of the

MBAM client application on targeted computers. System

Center 2012 Configuration Manager also reinstalls the agent if

users remove it.

Scheduling 1. Click Next.

User Experience 1. In the User notifications list, click Hide in Software Center

and all notifications.

2. Click Next.

Selecting Hide in Software Center and all notifications

prevents System Center 2012 Configuration Manager from

notifying users about the installation of the MBAM client. This

recommended setting prevents any user interaction or

interference with deployment.

Alerts 1. Click Next.

Summary 1. In the Details area, review the information that the Deploy

Software Wizard collected, and then click Next.

Progress 1. Monitor the progress of the Deploy Software Wizard while it

deploys the MBAM client application.


Page Steps

Completion 1. Verify that the Deploy Software Wizard finished successfully,

and then click Close.

Scripted installation

If you do not use MDT or System Center 2012 Configuration Manager to deploy applications in

your environment and you do not want to use Group Policy software installation, you can script

installation by using batch scripts, Windows PowerShell scripts, and so on. With this technique,

you are essentially performing a command-line installation. You can use the same technique to

install the MBAM client by using any non-Microsoft ESD system.

The following sections describe the steps necessary to complete each task:

1. Ensure that the partitions on the targeted devices are configured for BitLocker.

2. Enable the TPM on targeted devices (if not already enabled).

3. Create and share a folder containing the MBAM client installation files.

4. Run MbamClientSetup.exe from the network share containing the installation files.


Before you can use MBAM, you need to ensure that the partitions on the targeted devices are

configured properly for BitLocker deployment. Because this section focuses on deploying the

MBAM client on existing devices, the deployment is always performed on devices where the

operating system has been deployed. Ensure that the partitions on the targeted devices are

configured properly for BitLocker deployment as described in the section, BitLocker partition

configuration requirements, in this guide.








Before you deploy the MBAM client to the targeted devices, enable the TPM on them. You can

manually enable the TPM on the targeted devices or automate the process by using scripts or

software. The scripts or software for enabling the TPM are different for each device

manufacturer and sometimes even different across models within a device manufacturer.

To automatically enable the TPM by using scripts or software


TPM.

2. Create a batch file or script that runs the software in the previous step.

3. Ensure that you run the software to enable the TPM prior to running

MbamClientSetup.exe and installing the MBAM client.

Step 3: Share the installation files

Create a network share that contains the MBAM client installation files. This network share must

be accessible to all computers on which you want to install the MBAM client. You can give Read

access to the Domain Computers group or to the Authenticated Users group.

To create and share a folder for the MBAM client installation files




2. Configure NTFS file system permissions for the folder MBAM_Client_Setup, as Table 15

describes.





folder



Authenticated Users Read and Execute This folder, subfolders, and files

3. Share the folder MBAM_Client_ Setup by using the permissions that Table 16 describes.

To configure share permissions, right-click the folder, click Properties, and then click the

Sharing tab.


Account Permissions

Authenticated Users Read





\MBAM\Installers\2.0 folder structure so that both versions are available for deployment.

Step 4: Run MbamClientSetup.exe

For a scripted installation, the command you use to install the MBAM client must include the /q

command-line option to perform an unattended installation. This option runs

MbamClientSetup.exe with no user interaction, as shown in the following example. If you do not


include this command-line option, the Setup program stalls the deployment process to wait for

user interaction.

MbamClientSetup.exe /q

You must run the 64-bit or 32-bit version of MbamClientSetup.exe, based on the target

operating system version.

Installing the MBAM client remotely

You must install the MBAM client from an elevated command prompt.

Therefore, users with restricted accounts cannot run scripts that install

the MBAM client. A variety of tools and techniques are available to

work around this limitation. Examples include:

Use Windows PowerShell Remoting to run the MBAM client Setup program on a list

of remote computers. For more information about Windows PowerShell Remoting,

see the TechNet article, Running Remote Commands.

Use the Windows Sysinternals PsExec tool to run processes remotely with specific

credentials. For more information about PsExec and the other amazing tools in the

Sysinternals toolset, see the TechNet article, PsTools.

Use Group Policy preferences to schedule a job in Task Scheduler that runs the

Microsoft User Experience Virtualization Agent installation on targeted computers

with credentials that you specify in the task. For more information about scheduling

tasks by using Group Policy preferences, see the TechNet article, Configure a

Scheduled Task Item.

In addition, many non-Microsoft tools are available to script the installation of programs

that require elevated permissions. Many of them are free or have a nominal cost.

http://technet.microsoft.com/library/dd819505.aspx

http://technet.microsoft.com/sysinternals/bb896649.aspx

http://technet.microsoft.com/library/cc725745.aspx

http://technet.microsoft.com/library/cc725745.aspx

MBAM DEPLOYMENT GUIDE | VALIDATING THE MBAM INFRASTRUCTURE 75

Validating the MBAM infrastructure

After deploying the MBAM server and client, verify that the MBAM infrastructure is working

properly. You can validate the MBAM infrastructure by performing some common BitLocker

management tasks in MBAM. For more information about how to perform BitLocker

management tasks by using MBAM, see the section, “Performing BitLocker Management with

MBAM,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide,

which is available on TechNet.

Use the MBAM Self-Service Portal to regain access to a device

You can prevent users from accessing their BitLocker-enabled devices if they forget their

password or PIN, changed operating system files, changed the BIOS, or changed the TPM. Users

can regain access to their device without assistance from the help desk by using the MBAM Self-

Service Portal.

To use the MBAM Self-Service Portal to regain access to a device

1. In Internet Explorer, browse to the MBAM Self-Service Portal.

2. In Recovery KeyId, enter a minimum of eight digits from the 32-digit BitLocker Key ID

displayed on the BitLocker recovery page of the inaccessible device.

3. In Reason, select a reason for the recovery key request, and then click Get Key.

The MBAM Self-Service Portal obtains and displays the 48-digit BitLocker recovery key in

Your BitLocker Recovery Key.

4. Enter the 48-digit BitLocker recovery key on the BitLocker recovery page on the

inaccessible device.

5. The device can now be successfully started.

For more information about how to regain access to a device by using the MBAM Self-

Service Portal and other BitLocker management tasks that you can perform, see the

section, “Performing BitLocker Management with MBAM,” in the Microsoft BitLocker

Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.





Determine the BitLocker encryption state of lost or stolen devices

A common concern for most organizations is the loss or theft of a device that contains sensitive

information. A BitLocker-protected device helps prevent unauthorized users from accessing the

sensitive information on such a device. IT pros can determine which volumes on a device are

protected and better assess the risk associated with the loss or theft of the device.

To determine the BitLocker encryption state of lost or stolen devices

1. In Internet Explorer, browse to the MBAM website.

2. In the navigation pane, in the Report node, click Computer Compliance Report.

3. In the results pane, select the appropriate filter fields to narrow the search results, and

then click Search.

Search results are shown in the list box below. Device protection is determined by the

deployed BitLocker policies, which reflect the BitLocker encryption state of a device.

For more information about how to determine the BitLocker encryption state of a device by

using MBAM and other BitLocker management tasks that you can perform by using MBAM, see

the section, “Performing BitLocker Management with MBAM,” in the Microsoft BitLocker

Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.




Use a help desk portal to reset a TPM lockout

You can prevent users from accessing their BitLocker-enabled device if they enter an incorrect

PIN too many times, which results in a TPM lockout. The number of times a user can enter an

incorrect PIN before the TPM locks varies by manufacturer. You can help users regain access to

their devices by using the MBAM Help Desk Portal to reset the TPM lockout.

You can reset a TPM lockout only if MBAM was used to initially provision

the TPM. If the TPM was provisioned prior to MBAM deployment, the TPM

data may be stored in AD DS if the appropriate Group Policy settings

were configured and you cannot reset a TPM lockout by using MBAM.

To use the MBAM administration website to reset a TPM lockout

1. In Internet Explorer, browse to the MBAM administration website.

2. In the navigation pane, click Manage TPM.

3. Enter the following information, and then click Submit:

Fully qualified domain name of the locked device

Computer name of the locked device

Windows logon domain for the user

User name of the user

Reason for requesting the TPM owner password file

The MBAM Help Desk Portal returns one of the following results:

The TPM owner password file for the device

A message indicating that no matching TPM owner password file was found

4. Click Save.

Doing so saves the TPM owner password file.


5. Run the TPM management console, select the Reset TPM lockout option, and provide

the TPM owner password file to reset the TPM lockout.

The TPM hash value and TPM owner password should only be

used by authorized help desk and support personnel for the

purpose of resolving a TPM lockout scenario. Microsoft does not

recommend providing this information directly to users, because

the TPM information does not change and could pose a security

risk if the information does not remain secure.

For more information about how to reset a TPM lockout and other BitLocker management

tasks that you can perform with MBAM, see the section, “Performing BitLocker Management

with MBAM,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s

Guide, which is available on TechNet.



MBAM DEPLOYMENT GUIDE | CONCLUSION 79

Conclusion

Deploying MBAM can be easy and requires minimal updates to your existing infrastructure. You

can deploy the MBAM server components in a stand-alone topology or, if you want to integrate

with an existing System Center Configuration Manager infrastructure, a Configuration Manager

topology. In either case, you can evaluate MBAM on a single server or deploy the MBAM server

components in your production environment on multiple servers so that you can scale to a size

appropriate for your organization.

With the infrastructure in place, you can use highly automated processes such as Group Policy,

MDT, System Center Configuration Manager, or scripted installation methods to deploy the

MBAM client and provision BitLocker on user devices. From there, use the MBAM Group Policy

template to provide ongoing management of the MBAM client.

Download MBAM today to evaluate its deployment in your organization. MBAM is part of

MDOP, and MDOP is available to TechNet subscribers and MSDN subscribers. MDOP is also

available for purchase if you have Software Assurance on Windows client (including Windows

Intune subscribers).

For more information about MBAM, see:

The Microsoft Desktop Optimization Pack website to learn more about its business benefits

The Microsoft BitLocker Administration and Monitoring content on TechNet for technical

information, including videos that provide an overview and demonstrate how to set up and

configure MBAM

http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/default.aspx


Documents

MBAM Deployment Guide