Bitlocker Deployment Guide

Microsoft BitLocker
Administration and
Monitoring
Deployment Guide
Microsoft BitLocker Administration and Monitoring (MBAM) is an enterprise-
scalable solution for managing BitLocker technologies, such as BitLocker Drive
Encryption and BitLocker To Go. MBAM, which is part of the Microsoft Desktop
Optimization Pack, helps you improve security compliance on devices by
simplifying the process of provisioning, managing, and supporting BitLocker-
protected devices. This guide helps you choose a deployment method for
MBAM and provides step-by-step instructions for each method.
MBAM DEPLOYMENT GUIDE | INTRODUCTION 1
Introduction
Organizations rely on BitLocker Drive Encryption and BitLocker To Go to protect data on
computers and removable drives running the Windows 8 or Windows 7 operating systems and
Windows to Go. Microsoft BitLocker Administration and Monitoring (MBAM) version 2.0, which
is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software
Assurance, makes BitLocker implementations easier to deploy and manage and allows
administrators to provision and monitor encryption for operating system and fixed drives.
MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for
fixed and removable drives.

For BitLocker To Goprotected drives, BitLocker stores the recovery keys
but does not monitor encryption.
The key benefits of using MBAM to manage BitLocker technologies include:
Simplified provisioning and management. BitLocker deployment is easier with MBAM,
because MBAM can be integrated with existing automated provisioning and deployment
processes to ensure that existing and new devices are protected. You can provision
BitLocker as a part of or after operating system deployment, then use Group Policy
settings for ongoing BitLocker management and compliance enforcement.
Improved compliance and reporting. Encryption and protection of sensitive
information are essential to organizational compliance programs. MBAM includes built-
in reports that provide the current BitLocker encryption status of devices. MBAM also
audits access to BitLocker recovery keys and can provide reports on who accessed
specific recovery key information.
Reduced support effort. A customized MBAM Control Panel app replaces the default
BitLocker Control Panel item and allows users to manage local MBAM and BitLocker
configuration. Secure, web-based recovery key management portals allow help desk staff

MBAM DEPLOYMENT GUIDE | INTRODUCTION 2
and users recover BitLocker-enabled devices. Together, the customized Control Panel
app and these portals allow users and IT staff to perform common tasks, such starting
the encryption process or managing the BitLocker PIN, without you having to grant
administrative rights to the managed devices. Enabling self-service support helps reduce
BitLocker-related help desk tickets by empowering users and making IT staff more
efficient and effective.
To learn more about taking advantage of MBAM in your business, see the Microsoft BitLocker
Administration and Monitoring content on the Microsoft Desktop Optimization Pack website.
This guide describes how to deploy MBAM, with a focus on automating the deployment and
configuration of the MBAM client to managed devices. It first describes the MBAM components.
Then, it shows you how to prepare for deployment and provides step-by-step instructions for
deploying the MBAM client by using the following tools and technologies:
Group Policy software installation
Microsoft Deployment Toolkit (MDT) 2012
Microsoft System Center 2012 Configuration Manager
Scripted installation (e.g., command prompt)
MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 3
MBAM components
MBAM uses a clientserver model to manage BitLocker. You can deploy MBAM in either a
stand-alone or MBAM Configuration Manager topology. Each topology is discussed in
subsequent sections.
MBAM stand-alone topology
You use the MBAM stand-alone topology (illustrated in Figure 1) when your organization does
not have an existing System Center Configuration Manager infrastructure. In this topology,
MBAM and Microsoft SQL Server provide all the necessary components. If your organization has
a System Center Configuration Manager infrastructure, see MBAM Configuration Manager
topology.

Figure 1. MBAM stand-alone topology
Table 1 describes the computers and devices in this topology and provides a brief description of
MBAM components and the role of each computer and device.
Table 1. Computers and devices in the MBAM stand-alone topology
Computer or device Description
Administration and
Monitoring Server
The following features are installed on this server:
Administration and Monitoring Server. The
Administration and Monitoring Server feature is
installed on a machine running the Windows Server
operating system and consists of the Administration
and Monitoring website, which includes the reports
and the Help Desk Portal, and the monitoring web
services.
Self-Service Portal. The Self-Service Portal is
installed on a machine running Windows Server. The
portal enables users on client computers to
independently log on to a website, where they can
obtain a key to recover a locked BitLocker volume.
Database Server The following features are installed on this server:
Recovery Database. The Recovery Database is
installed on a machine running Windows Server and a
supported instance of SQL Server. This database
stores recovery data collected from MBAM client
computers.
Compliance and Audit Database. The Compliance
and Audit Database is installed on a machine running
Windows Server and a supported instance of
SQL Server. This database stores compliance data for
MBAM client computers, which is used primarily for
reports that Microsoft SQL Server Reporting Services
hosts.
Compliance and Audit Reports. The Compliance
and Audit Reports are installed on a machine running
Windows Server and a supported instance of
SQL Server that has the SQL Server Reporting Services
feature installed. They provide MBAM reports that
you can access from the Administration and
Monitoring website or directly from the SQL Server
Reporting Services server.
Management workstation The following feature is installed on the Management
workstation, which can be a computer running Windows
Server or a client operating system:
Policy Template. The Policy Template consists of
Group Policy settings that define MBAM
implementation settings for BitLocker. You can install
the Policy Template on any server or workstation, but
it is commonly installed on a management
workstation, which is a supported Windows Server
machine or client computer. The workstation does not
have to be a dedicated computer.
Managed device The MBAM client is installed on the managed Windows
device and has the following characteristics:
Uses Group Policy to enforce the BitLocker encryption
of client computers in the enterprise
Collects the recovery key for the three BitLocker data
drive types: operating system drives, fixed data drives,
and removable data (USB) drives
Collects compliance data for the computer and
passes the data to the reporting system
Active Directory Domain
Services (AD DS) domain
controller
The following feature is installed on the domain
controller:

MBAM Configuration Manager topology
Use the MBAM Configuration Manager topology (illustrated in Figure 2) when your organization
has an existing System Center Configuration Manager infrastructure. In this topology, the MBAM
components are distributed across the MBAM Administration and Monitoring Server,
SQL Server, and System Center Configuration Manager. In this topology, System Center
Configuration Manger runs some of the MBAM components. MBAM supports System
Center 2012 Configuration Manager with Service Pack 1 (SP1), System Center 2012
Configuration Manager, and Microsoft System Center Configuration Manager 2007
infrastructures.

Windows to Go is not supported when you install the System Center
Configuration Manager topology with System Center Configuration
Manager 2007.
If your organization does not have a System Center Configuration Manager infrastructure, see
MBAM stand-alone topology.

Figure 2. MBAM Configuration Manager topology
The placement of the MBAM components in the MBAM Configuration Manager topology is
similar to the MBAM stand-alone topology. Table 2 describes the computers and devices in the
MBAM Configuration Manager topology (illustrated in Figure 2) and provides a brief description
of the MBAM components and role of each computer and device.
Table 2. Computers and devices in the MBAM Configuration Manager
topology
Administration and
Monitoring Server
The following features are installed on this server:
Administration and Monitoring Server. The
Administration and Monitoring Server feature is
installed on a machine running Windows Server and
consists of the Administration and Monitoring
website, which includes the reports, the Help Desk
Portal, and the monitoring web services.
Self-Service Portal. The Self-Service Portal is
installed on a machine running Windows Server. It
enables users on client computers to independently
log on to a website, where they can obtain a key to
recover a locked BitLocker volume.
Database Server The following features are installed on this server:
Recovery Database. The Recovery Database is
installed on a machine running Windows Server and a
supported instance of SQL Server. This database
stores recovery data collected from MBAM client
computers.
Audit Database. The Audit Database is installed on a
machine running Windows Server and a supported
instance of SQL Server. This database stores audit
activity data for MBAM client computers that have
accessed recovery data.
Configuration Manager
Primary Site Server
The Configuration Manager Site Server collects the
hardware inventory information from client computers
and is used to report the BitLocker compliance of client
computers. The following features are installed on this
server:
Compliance Reports. The Compliance Reports are
installed on the machine running the Reporting
Services point site system role. They provide MBAM
reports that you can access from the Configuration
Manager console or directly from the SQL Server
Reporting Services server on the Reporting Services
point.
Audit Reports. The Compliance and Audit Reports
are installed on a machine running Windows Server
and a supported instance of SQL Server that has the
SQL Server Reporting Services feature installed. They
provide MBAM reports that you can access from the
Administration and Monitoring website or directly
from the SQL Server Reporting Services server.
Management workstation The following feature is installed on the Management
workstation, which can be run Windows Server or a
client operating system:
Configuration Manager console. The Configuration
Manager console is used to view MBAM reports.
Managed device The MBAM client and Configuration Manager client are
installed on the managed Windows device and have the
following characteristics:
Use Group Policy to enforce the BitLocker encryption
of client computers in the enterprise
Collect the recovery key for the three BitLocker data
drive types: operating system drives, fixed data drives,
and removable data (USB) drives
Enable System Center Configuration Manager to
collect hardware compatibility data about client
computers
Enable System Center Configuration Manager to
report compliance information
AD DS domain controller The following feature is installed on the domain
controller:

MBAM DEPLOYMENT GUIDE | PREPARING FOR DEPLOYMENT 12
Preparing for deployment
MBAM requires the following services and features for both the stand-alone and Configuration
Manager topologies:
AD DS. MBAM requires an AD DS infrastructure and that the MBAM clients be domain
members.
SQL Server. MBAM requires SQL Server for storing MBAM compliance, audit, and recovery
information. MBAM also requires SQL Server Reporting Services for MBAM reports. For more
information on SQL Server requirements, see the section, SQL Server Database
Requirements, in the Microsoft BitLocker Administration and Monitoring 2 Administrators
Guide, which is available on Microsoft TechNet. For more information about deploying
SQL Server in the:
Stand-alone topology, see Deploying MBAM in the stand-alone topology
Configuration Manager topology, see Deploying MBAM in the Configuration Manager
topology
Group Policy. You manage MBAM client configuration by using Group Policy settings.
MBAM allows you to manage BitLocker and MBAM settings from a single template. For
more information, see Deploying the MBAM Group Policy settings.
Web server (Microsoft Internet Information Services [IIS]). The Administration and
Monitoring website and the Self-Service Portal run on IIS, which is installed as part of the
Web Server (IIS) server role.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM SERVER 13
Deploying the MBAM server
You can deploy the MBAM server in either the MBAM stand-alone or MBAM Configuration
Manager topology. You will deploy the MBAM server components on different computers
(virtual or physical) depending on your scale requirements and the MBAM deployment topology
you choose.
Regardless of the MBAM deployment topology selected, Microsoft recommends dedicating two
computers to MBAMone for running MBAM web server components and one for running
SQL Server.

You can deploy MBAM in a single-server configuration. However, this
configuration is recommended for use only in test environments. For
production environments, Microsoft recommends that you use the two-
server deployment configuration.
Select the MBAM deployment topology
Which MBAM deployment topology you choose is based on whether you have System Center
Configuration Manager. Use the information in Table 3 to determine which MBAM deployment
topology is right for you.
Table 3. MBAM deployment topologies and when to select them
Topology Description
Stand-alone topology Select this topology when your organization does not have an
existing System Center Configuration Manager infrastructure
or is not planning to deploy a System Center Configuration
Manager infrastructure prior to deploying MBAM.

Topology Description
Configuration Manager
topology
Select this topology when your organization has an existing
System Center Configuration Manager infrastructure or is
planning to deploy a System Center Configuration Manager
infrastructure prior to deploying MBAM. MBAM supports
System Center 2012 Configuration Manager with SP1, System
Center 2012 Configuration Manager, and System Center
Configuration Manager 2007.

Deploy MBAM in the stand-alone topology
Deploying MBAM in the stand-alone topology typically uses two computers (physical or virtual)
for the MBAM components. The two-computer configuration is recommended for production
environments. Installation of all MBAM components on one computer is possible but
recommended only for lab or evaluation environments or small production environments. The
MBAM stand-alone topology is illustrated in Figure 1 in the section, MBAM stand-alone
topology, earlier in this guide.
To deploy MBAM in the stand-alone topology, perform the following steps:
1. Deploy a supported version of SQL Server on the designated computer.
For more information about the versions of SQL Server that MBAM supports, see the
section, SQL Server Database Requirements, in the Microsoft BitLocker Administration
and Monitoring 2 Administrators Guide, which is available on TechNet.
2. Configure SQL Server to support encrypted connections to the SQL Server Database
Engine (optional).
If you plan to secure communication between the MBAM client and the web services,
you should also secure communication to the SQL Server Database Engine by enabling
encrypted connections to it. For more information about how to do so, see Enable
Encrypted Connections to the Database Engine (SQL Server Configuration Manager).
3. Ensure that the computer that will run the MBAM web server components has the
necessary prerequisites.

The MBAM Web Server Installation Wizard automatically checks
prerequisites before installing the MBAM web server components.
For more information about MBAM server prerequisites, see the section, Installation
Prerequisites for MBAM Server Features, in the Microsoft BitLocker Administration and
Monitoring 2 Administrators Guide, which is included with MBAM.
4. Install the MBAM server components.
For more information about how to install the MBM server components in the MBAM
stand-alone topology, see the section, How to Install and Configure MBAM on
Distributed Servers, in the Microsoft BitLocker Administration and Monitoring 2
Administrators Guide, which is included with MBAM.
Deploy MBAM in the Configuration Manager topology
Deploying MBAM in the Configuration Manager topology typically uses two computers (physical
or virtual) for the MBAM components. The two-computer configuration is recommended for
production environments. Installation of all MBAM components on one computer is possible but
recommended only for lab or evaluation environments or small production environments. In
addition, this topology requires a System Center Configuration Manager infrastructure. MBAM
has no additional system requirements for System Center Configuration Manager beyond the
standard system requirements. For more information about the system requirements for:
System Center 2012 Configuration Manager, see Supported Configurations for Configuration
Manager
System Center Configuration Manager 2007, see Configuration Manager Supported
Configurations
To deploy MBAM in the Configuration Manager topology, perform the following steps:
1. Deploy a supported version of SQL Server.

For more information about the versions of SQL Server that MBAM supports, see the
sections, SQL Server Database Requirements and SQL Server Processor, RAM, and Disk
Space Requirements, in the Microsoft BitLocker Administration and Monitoring 2
Administrators Guide, which is available on TechNet.
2. Configure the System Center Configuration Manager permissions required to install
MBAM.
For more information about how to do so, see the section, Required Permissions to
Install the MBAM Server, in the Microsoft BitLocker Administration and Monitoring 2
3. Edit and import the configuration.mof file.
For more information about how to do so, see the section, Edit the Configuration.mof
File, in the Microsoft BitLocker Administration and Monitoring 2 Administrators Guide,
which is available on TechNet.
4. Edit and import the sm_def.mof file.
For more information about how to do so, see the section, Create or Edit the
Sms_def.mof File, in the Microsoft BitLocker Administration and Monitoring 2
5. Install the MBAM web server components.
For more information about how to install the MBM web server components in the
MBAM Configuration Manager topology, see the section, How to Install MBAM with the
Configuration Manager Topology, in the Microsoft BitLocker Administration and
Monitoring 2 Administrators Guide, which is available on TechNet.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 17
Deploying the MBAM Group Policy settings
You use Group Policy settings to manage the MBAM client, and MBAM includes an
administrative template that you use to configure these settings. When you use the template, a
Group Policy object (GPO) containing the MBAM client Group Policy settings will be created; you
then link this GPO to the appropriate organizational units (OUs) in your AD DS hierarchy at
which point the policies will be deployed to the applicable members of the OU.
Install the MBAM Group Policy administrative template
MBAM includes a Group Policy administrative template that exposes all of the BitLocker and
MBAM client configuration settings in the Group Policy Editor. Install the MBAM Group Policy
administrative template on every computer from which you manage MBAM Group Policy, such
as domain controllers or administrative workstations. You can also install the Group Policy
administrative template in the Active Directory central store.
You install the MBAM Group Policy Template by running the MBAM Server Setup Wizard
(MbamSetup.exe), which is in the \MBAM\Installers\x64 folder on the MBAM source media. To
install the MBAM Group Policy templates, select only the Policy Template feature on the Select
features to install page in the MBAM Server Setup Wizard (as shown in Figure 3).

Figure 3. The Select features to install wizard page
For more information on how to install the MBAM Group Policy template, see the section, How
to Install the MBAM 2.0 Group Policy Template, in the Microsoft BitLocker Administration and
Create the MBAM Group Policy settings
The MBAM Group Policy administrative template defines policy settings for the MBAM client.
Microsoft recommends that you create a new GPO for each set of unique MBAM Group Policy
settings you need. For example, if you have two groups within your organization that will have
different configurations for BitLocker, create two GPOsone for each group of settings. You can
also create a GPO for using Trusted Platform Module (TPM) only and another for using TPM and
a PIN.
MBAM Group Policy settings are in the Group Policy Management Editor under Computer
Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker
Management). Table 4 lists the categories of MBAM Group Policy settings and provides a brief
description of each. For more information on the MBAM Group Policy settings, see the section,
Planning for MBAM 2.0 Group Policy Requirements, in the Microsoft BitLocker Administration
and Monitoring 2 Administrators Guide, which is available on TechNet.
Table 4. MBAM Group Policy setting categories
Category Description
Global Used to configure global BitLocker settings, such as the drive
encryption method and cypher strength and whether a unique
organizational identifier will be used. These settings are located in the
root of the MBAM Group Policy settings hierarchy.
Client
Management
Used to configure the client management aspects of the MBAM
client, such as the configuration of the MBAM services that the client
uses. These settings are located in the Client Management node.
Fixed Drive Used to configure the settings that affect encryption of fixed drives,
such as denying Write access to fixed drives not protected by
BitLocker or choosing how BitLocker-protected fixed drives can be
recovered. These settings are located in the Fixed Drive node.
Operating
System Drive
Used to configure the settings that affect the operating system drive,
such as requiring users to encrypt the operating system drive and the
methods for recovering BitLocker-protected operating system drives.
These settings are located in the Client Management node.
Category Description
Removable
Drive
Used to configure the settings that affect encryption of fixed drives,
such as controlling the use of BitLocker on removable drives or
choosing how BitLocker-protected removable drives can be
recovered. These settings are located in the Removable Drive node.

Configure the MBAM Group Policy settings in the GPOs that you have created (based on the
information in Table 4), and then link those GPOs to the OUs that contain the devices you will
use MBAM to manage. For more information on the MBAM Group Policy settings and the
suggested configuration, see the section, Planning for MBAM 2.0 Group Policy Requirements,
in the Microsoft BitLocker Administration and Monitoring 2 Administrators Guide, which is
available on TechNet.
Manage MBAM user exemptions
In some instances, users may need to be exempt from protecting their drives protected by
BitLocker. For example, users may bring their own devices as a part of a bring-your-own-device
initiative and do not want their devices to be BitLocker protected. You can exempt users from
MBAM enforcement of automatic BitLocker protection by using the Allow the user to be
exempted from BitLocker encryption Group Policy setting, which is under User
Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker
Management).
To exempt users from MBAM enforcement of automatic BitLocker protection, perform the
following steps:
1. Create a GPO, such as MBAM User Exemption Policy, that enables the Allow the user to
be exempted from BitLocker encryption Group Policy setting.
2. Create a domain security group, such as MBAM Exempt Users, that contains the user
accounts of the users to be exempted.
3. Configure the MBAM User Exemption Policy GPO (created in step 1) to apply only to the
MBAM Exempt Users domain security group (created in step 2) by using GPO security
filtering, as shown in Figure 4.

Figure 4. Configuring GPO security filtering
For more information on how to perform GPO security filtering for a specific group, see
Using Security Filtering to Apply GPOs to Selected Groups.
4. Link the MBAM User Exemption Policy GPO (created in step 1) to the OUs in which the
devices to be managed reside.
For more information on how to manage MBAM user exemptions, see the section, How to
Manage User BitLocker Encryption Exemptions, in the Microsoft BitLocker Administration and
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 22
Deploying the MBAM client
You must install the MBAM client on each BitLocker-enabled device you will use MBAM to
manage. The client is available in 64-bit and 32-bit versions that are stored in the
\MBAM\Installers\2.0\x64 and \MBAM\Installers\2.0\x86 folders, respectively, on the MBAM
source media. Select the appropriate version based on the target operating system.
The MBAM client installation files include:
MbamClientSetup.exe. This Setup program contains the MBAM client and is
appropriate for methods that require an .exe file, such as scripted installation. This
program passes any installer properties you use on its command line to the Windows
Installer package file.
MBAMClient.msi. This Windows Installer package contains the MBAM client and is
appropriate for deployment methods that require an .msi file, such as Group Policy
software deployment.
You can easily deploy the MBAM client by using almost any software or operating system
deployment tool. Table 5 lists the deployment methods that this guide describes and offers
suggestions for when to use each. You can also use a combination of these methods. For
example, you could use MDT to deploy the MBAM client during operating system deployment
and use Group Policy to deploy the MBAM client to existing computers.

To drive consistency across MBAM client installations, use highly
automated techniques to perform MBAM client deployments. For
example, if you choose command-line deployment, ensure that you
automate installation by using scripts (e.g., Windows PowerShell or batch
scripts).
Table 5. Choosing a deployment method
Method Use this method when
Group Policy You do not use an electronic software deployment (ESD)
solution, such as System Center Configuration Manager or
MDT
You already deploy software by using Group Policy
You want to deploy the MBAM client to existing computers
You want to deploy the MBAM client after operating
system images are deployed
Computers have high-speed, persistent connections to the
network share containing the installation files
MDT 2012 You use MDT for operating system deployment
You want to deploy the MBAM client during operating
system deployment
System Center
Configuration
Manager
You already use System Center Configuration Manager for
application and operating system deployment
You want to use one tool to deploy the MBAM client to
existing computers or during operating system
deployment
Computers have high-speed, persistent connections to the
distribution points in which the MBAM client installation
files reside
Method Use this method when
Scripted Installation You want to script installation as part of operating system
installation, and you are not using MDT or System
Center Configuration Manager
You want to deploy the MBAM client by using a non-
Microsoft ESD system
Computers might not have high-speed, persistent
connections to the enterprise network, and installation
from local media might be required

BitLocker partition configuration requirements
BitLocker requires that the partitions on the targeted devices be configured properly to support
BitLocker. Ensure that the targeted devices have the correct partition configuration to support
BitLocker prior to deploying the MBAM client.
BitLocker requires the following partitions:
System partition. This unencrypted partition is used to start the target device. The system
partition must have a minimum of 100 MB of space, but larger partitions are recommended.
If the system partition is 300 MB or larger, the Windows Recovery Environment is
automatically copied to the partition when BitLocker is enabled. By default, MDT
automatically creates a 512-MB system partition.
Windows partition. This encrypted partition contains the Windows operating system,
applications, and user data. It must meet the minimum required available disk space for the
desired operating system.

In addition to the BitLocker partition requirements, the device may have
requirements such as those for Unified Extensible Firmware Interface
(UEFI). For more information on the recommended partition configuration
for BIOS and UEFI devices, see 5.1 Create a DiskPart script in Basic
Windows Deployment Step-by-Step Guide.
For new device deployments or when you are replacing an existing device with a new device, the
operating system deployment process automatically creates the appropriate partitions. This is
true if you are performing the deployment by using the operating system deployment media or
by using automated processes such as MDT or System Center 2012 Configuration Manager.
However, in refresh device deployment scenarios, the existing device may have a partition
configuration that is inappropriate for BitLockerfor example, refreshing the Windows XP
operating system on an existing device with Windows 8. In these scenarios, you may need to
repartition the drive to support BitLocker before performing operating system deployment and
deploying the MBAM client. Ensure that you create the partitions based on the
recommendations in the 5.1 Create a DiskPart script in Basic Windows Deployment Step-by-
Step Guide.
For more information about how MDT creates disk partitions, see the section, Review the
Default Partition Configuration Created by MDT, in the MDT document Using the Microsoft
Deployment Toolkit. Repartitioning of targeted devices in refresh device deployment scenarios is
discussed in the sections for each MBAM client deployment method.
TPM and MBAM client deployment
The TPM is a microchip that stores the private portion of security keys that are kept separate
from the memory that the operating system controls. BitLocker uses these keys to encrypt data.
BitLocker and MBAM have the following dependencies on the TPM:
The TPM must be physically enabled. The TPM must be physically enabled on the targeted
device before BitLocker and MBAM can use it. Enabling the TPM by using the BIOS or UEFI
on the device or by using scripts to automate the process.

Have MBAM take ownership of the TPM. Taking ownership of the TPM allows MBAM to
provide users with a file they can use to reset the TPM on their device. However, it is not
required that MBAM own the TPM. Windows can automatically provision and take
ownership of the TPM, which allows the TPM management within Windows. If Windows
owns the TPM, MBAM will be unable to help users reset the TPM on their device.
Enable the TPM
BitLocker requires that the TPM be physically enabled on the device prior to protecting any fixed
or removable drives on the managed device. In some cases, the TPM can be disabled in the BIOS
or UEFI, which will prevent BitLocker and MBAM from accessing its functionality. The software
and process for enabling TPM at the hardware level is unique for each device hardware
manufacturer and sometimes within models. For fully automated deployment, such as MDT or
System Center Configuration Manager, ensure that the TPM for the device is physically enabled
within the BIOS or UEFI prior to image deployment.

In addition, enabling the TPM may require that the administrator
password for the BIOS or UEFI be configured. Some hardware vendor
tools allow you to temporarily set the administrator password, enable the
TPM, and then remove the password. Please consult the documentation
from the hardware vendor specific to the BIOS or UEFI for the device.
Most hardware vendors provide software that allows you to enable the TPM from the command
line. For information about the software for enabling a TPM from a command line, contact each
specific hardware vendor.
For information on how to run the software to enable the TPM from a command line for each
deployment method, see the step for enabling the TPM on targeted devices in the following
sections:
LTI in MDT 2012
ZTI and UDI in MDT 2012
System Center 2012 Configuration Manager

Scripted installation
Set the ownership of the TPM
The TPM can have only one owner. Configure TPM ownership based on the operating system on
the target device. Table 6 lists the operating systems and the recommendation for configuring
TPM ownership.
Table 6. Operating systems and ownership of the TPM
Operating system Ownership
Windows 8 Use only one of the following :
MBAM owns the TPM. If MBAM has ownership, then
MBAM can be used to help reset the TPM.
Windows 8 owns the TPM. If Windows 8 has ownership,
then the user can use Windows 8 to help reset the TPM.
Windows 7 MBAM owns the TPM, which allows MBAM can be used to
help reset the TPM.

TPM and BitLocker pre-provisioning
BitLocker pre-provisioning enables BitLocker encryption for a drive volume prior to Windows
operating system deployment. BitLocker pre-provisioning occurs while in the Windows
Preinstallation Environment (Windows PE) version 4.0 by using the Manage-bde.exe BitLocker
command-line utility. Automated operating system deployment methods, such as MDT and
System Center 2012 Configuration Manager with SP1 automatically preform BitLocker pre-
provisioning for Windows 8 and Windows 7 if the TPM is enabled.
To perform BitLocker pre-provisioning, the TPM must be enabled by one of the following
methods:
Manually configuring the BIOS or UEFI. This method requires that the user performing
the deployment manually enable the TPM in the BIOS or UEFI. After the TPM is manually
enabled, the operating system deployment can go on as normal.
Automatically by running a script or other software. Most device vendors have
scripts or software that allows you to enable the TPM automatically. However, these
scripts or other software may need to run in a full Windows operating system (not in
Windows PE). In instances where the script or software is unable to run in Windows PE
and you require fully automated deployment, you cannot use BitLocker pre-provisioning.
If you cannot use BitLocker pre-provisioning, you must enable BitLocker after the operating
system is deployed and the full operating system is running. The length of time to encrypt after
the operating system is deployed depends on the operating system, as shown in Table 7.
Table 7. Operating system and encryption behavior after the operating
system is deployed
Operating system Encryption behavior
Windows 8 Can use the Used Disk Space Only feature to reduce the
amount of time needed to encrypt the drive. This is the
default behavior for MDT task sequences.
Windows 7 Can only encrypt the entire volume, which will take longer
than the Used Disk Space Only feature in Windows 8.
Configure the MBAM client to immediately initiate encryption during
task sequences
If you deploy the MBAM client during operating system deployment, that client does not
immediately initiate encryption by default, because the MBAM client is typically configured by
Group Policy settings. That configuration occurs after the operating system is deployed and the
user starts it for the first time. As a result, the targeted device may be in an unprotected state
the first time the user starts the device, and MBAM will not have saved the recovery keys and
other secrets.
To ensure that devices are in a fully protected state and that MBAM has saved the recovery keys,
configure the MBAM client to immediately initiate encryption during the operating system task
sequence.

Configuring the MBAM client to immediately initiate encryption during a
task sequence is applicable only when the MBAM client is being deployed
as part of operating system deployment. However, you could also
perform these steps manually on an existing device and immediately
initiate encryption and the saving of recovery keys in MBAM.
Step 1: Create the registry import files
You must create the following registry import files:
AddMBAMRegEntries.reg. This file adds the necessary registry entries to configure the
MBAM client to immediately initiate BitLocker encryption and store the recovery keys in
MBAM.
RemoveMBAMRegEntries.reg. This file removes the registry entries that the
AddMBAMRegEntries.reg file adds. After this file runs, the registry will be ready for
normal configuration by using the MBAM Group Policy settings.
To create a registry import file that configures the MBAM client to immediately initiate
encryption during a task sequence
1. Install the MBAM client on a device that has not yet been encrypted.
2. Stop the MBAM client by typing the following command at an elevated command
prompt:
NET STOP MBAMAGENT

3. Import the registry template file MBAMDeploymentKeyTemplate.reg located in \Program
Files\Microsoft\MDOP.

4. Start RegEdit.exe, and make the following registry changes in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM:
a. Modify the KeyRecoveryServiceEndPoint registry setting to use the URL for
your MBAM server.
b. Add a new key NoStartupDelay as a DWORD with a value of 1.
5. Export the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM registry subkey to
the AddMBAMRegEntries.reg file by using RegEdit.exe.
To create a registry import file that removes the MBAM registry entries
1. Copy the AddMBAMRegEntries.reg file to the RemoveMBAMRegEntries.reg file.
2. In Microsoft Notepad, make the following changes to the RemoveMBAMRegEntries.reg
file, and then save the file:
a. Leave the "Installed"=dword:00000001 line untouched.
b. For all other registry keys in the file, replace everything after the equal sign (+)
with a minus sign ().
For example, change NoStartupDelay=dword:00000001 to
NoStartupDelay=-.
For more information on how to create registry files, see How to add, modify, or delete registry
subkeys and values by using a registration entries (.reg) file.
Step 2: Create a script to automate the MBAM client immediately initiating encryption
Create a script to automate the MBAM client immediately initiating encryption during a task
sequence. You can create such a script by using either Windows PowerShell or Microsoft Visual
Basic Scripting Edition (VBScript). You run this script in the task sequence for your automated
deployments in MDT or System Center Configuration Manager.
The high-level steps that the script must perform are as follows:
1. Determine whether the MBAM client has been installed.
2. Stop the MBAM client service.
3. Import the AddMBAMRegEntries.reg file to the registry.
4. Start the MBAM client service.
5. Verify that encryption has started on the desired disk volume.
6. Import the RemoveMBAMRegEntries.reg file.
7. Restart the MBAM client service.
For an example of how to implement a script that performs these functions, see the section,
Automating the process with a script, in the TechNet article, Using MBAM to start BitLocker
Encryption in a Task Sequence.
Step 3: Add a task sequence step to run the script
You must add a task sequence step to run the script immediately after the task sequence step to
install the MBAM client. The type of task sequence step you add is based on how you created
the script. For example, if you created the script by using Windows PowerShell, then add a Run
PowerShell Script task sequence step. If you used VBScript, then add a Run Command Line
task sequence step.
You can install a 64-bit or 32-bit version of MBAMClient.msi by using Group Policy software
installation. (You cannot run MbamClientSetup.exe with Group Policy.) You must create a
network share for the MBAM client installation files, and then create a GPO that installs the
appropriate Windows Installer package file on each computer.
To target MBAM client installation, link the GPO to specific OUs, use security filtering, or use
Windows Management Instrumentation (WMI) filtering. For example, you can filter the GPO to
target computers in a particular security group or computers that are running Windows 8 or
Windows 7.

You cannot use command-line options when you use Group Policy to
deploy the MBAM client. In this scenario, the easiest way to configure the
MBAM client is to use the MBAM Client Policy administrative template.
Alternatively, you can create a transform for the MBAM client Windows
Installer package files and apply that transform when you create the GPO.
Step 1: Ensure that partitions on targeted devices are configured for BitLocker
Before you can enable encryption with MBAM, you must ensure that the partitions on the
targeted devices are configured properly for BitLocker deployment. Group Policy software
installationbased deployments are always performed on devices where the operating system
has been deployed. Ensure that the partitions on the targeted devices are configured properly
for BitLocker deployment, as described in the section, BitLocker partition configuration
requirements in this guide.

If the partitions on a targeted device are not configured properly for
BitLocker deployment, consider refreshing the operating system on the
device to create the proper partitions. For more information, see the
section Lite Touch Installation in MDT 2012 or Zero Touch Installation and
User-Driven Installation in MDT 2012.
Step 2: Enable the TPM on targeted devices
Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices.
The process for enabling the TPM is different for each device manufacturer and sometimes even
across models within a device manufacturer. The high-level process for automatically enabling
the TPM is as follows:
1. Package the vendor-specific software for enabling TPM as an .msi package.
In some instances, the vendor-specific software may be scripts and cannot be easily
packaged as an .msi file. In these instances, use one of the other methods for enabling
TPM.
2. Create a network shared folder that contains the .msi package created in the previous
step.
3. Create a GPO to install the .msi package (such as Enable TPM Policy).
4. Configure the existing MBAM client installation GPO (MBAM Client Installation) to use a
WMI query to determine whether the TPM is enabled on targeted devices.
5. Target the Enable TPM Policy GPO for different processor versions (64 bit or 32 bit), if
applicable.
6. Link the Enable TPM Policy GPO to the appropriate OUs.

Step 3: Share the installation files
You must create a network share that contains the MBAM client Setup files. This network share
must be accessible to all computers on which you want to install the MBAM client. Grant Read
access to the Domain Computers group or to the Authenticated Users group.
To create and share a folder for the MBAM client installation files
1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and
MBAM Client Setup is the name of the folder you are creating to contain the MBAM client
installation files.
2. Configure NTFS file system permissions for the folder MBAM_Client_Setup, as Table 8
describes. To configure NTFS file system permissions, right-click the folder, click
Properties, and then click Advanced on the Security tab.
Table 8. NTFS file system permissions for the MBAM client setup
folder
Account Permissions Applies to
Administrators Full control This folder, subfolders, and files
Authenticated Users Read and Execute This folder, subfolders, and files

3. Share the folder MBAM_Client_Setup by using the permissions that Table 9 describes. To
configure share permissions, right-click the folder, click Properties, and then click the
Sharing tab.
Table 9. Share permissions for the MBAM client setup folder
Account Permissions
Authenticated Users Read

4. Copy the \MBAM\Installers\2.0 folder structure from the MBAM distribution media to
\\SERVER\MBAM_Client_Setup.
The \MBAM\Installers\2.0 folder structure includes the x64 and x86 folders, which
contain the 64-bit and 32-bit versions of the MBAM client, respectively. Copy the entire
\MBAM\Installers\2.0 folder structure so that both versions are available for deployment.
Step 4: Create a GPO to install the MBAM client
You create GPOs by using the Group Policy Management Console (GPMC) on a server or on a
client running the Remote Server Administration Tools. You can create a GPO that installs only
the MBAM client, or you can configure the MBAM client by using the same GPO to keep all of
your MBAM policies in one location. The steps in this section install both the x64 and x86 agents
by using a single GPO, allowing Group Policy to determine the correct version to install.
To create and edit a GPO to deploy the x64 and x86 MBAM client
1. In the GPMC, create a new GPO for MBAM client installation (e.g., MBAM Client
Installation):
a. Right-click Group Policy Objects under Forest\Domains\Domain, and then click
New.
b. In the Name box, type MBAM Client Installation, and then click OK.
2. In the navigation pane, right-click MBAM Client Installation, and then click Edit.
3. In the Group Policy Management Editor, right-click Software Installation in Computer
Configuration\Policies\Software Settings, point to New, and then click Package.
4. In File name, type the Universal Naming Convention (UNC) path and name of the 64-bit
version of MBAMClient.msi in the x64 folder, and then click Open.

Make sure you open the file from the network share you created earlier and not from a
local path.
5. In the Deploy Software dialog box, click Advanced, and then click OK.
6. In the Name box on the General tab of the MDOP MBAM Properties dialog box,
append x64 to the end of the name, and then click OK.
This will help you to distinguish between the x86 and x64 versions later.
7. In the Group Policy Management Editor, right-click Software Installation in Computer
Configuration\Policies\Software Settings, point to New, and then click Package.
8. In File name, type the UNC path and name of the 32-bit version of MBAMClient.msi in
the x86 folder, and then click Open.
Make sure you open the file from the network share you created earlier and not from a
local path.
9. In the Deploy Software dialog box, click Advanced, and then click OK.
10. In the MDOP MBAM Properties dialog box, complete the following steps, and then
click OK:
a. On the General tab, in the Name box, append x86 to the end of the name.
b. On the Deployment tab, click Advanced; then, clear the Make this 32-bit X86
application available to Win64 machines check box and click OK.
Clearing this check box prevents Group Policy from installing the 32-bit MBAM client
on 64-bit operating systems, ensuring that the correct version of the MBAM client is
installed for each system type.
11. Close the Group Policy Management Editor.
Step 5: Link the GPO to OUs
You must link the MBAM Client Installation GPO to OUs to install the agent on the computers in
those OUs. You can link the GPO to individual OUs. If the computers you want to target for
installation are in multiple OUs, you can link the GPO to the domain and use security or WMI
filtering to limit installation to specific computers, types of computers, or Windows versions,
which is discussed in the section, Step 6: Optionally target the GPO.
To link the GPO to an OU
1. In the GPMC, right-click the OU to which you want to link the MBAM Client Installation
GPO, and then click Link an Existing GPO.
2. In the Group Policy objects list in the Select GPO dialog box, click MBAM Client
Installation, and then click OK.
Step 6: Optionally target the GPO
When you link the MBAM Client Installation GPO to an OU, Group Policy applies the GPO to all
computers in that OU, installing the MBAM client on them. In some cases, however, this might
not be desirable. You can target MBAM client deployment to specific computers within an OU
by using security or WMI filtering. See Table 10 for more information.
Table 10. Filtering the MBAM Client Installation GPO
Method Description
Security
filtering
This filtering method allows you to target specific computers based on
membership in AD DS security groups. The members of the security group
can be computer objects or other security groups containing computer
objects. You control the deployment of the MBAM client to specific
computers by adding or removing them from the security group. For more
information about security filtering, see Filter Using Security Groups.
WMI
filtering
This filtering method allows you to target specific computers based on a
WMI query. For example, you could use a WMI query to target the
operating system version on computers and deploy the MBAM client only
if the operating system is Windows 8 or Windows 7.
You create a WMI filter separately, and then link the WMI filter to the GPO
that you created to deploy the MBAM client. For more information about
WMI filtering and how to create a WMI filter, see Work with WMI Filters.

Lite Touch Installation in MDT 2012
You can deploy the MBAM client during operating system deployment by using the Lite Touch
Installation (LTI) process in MDT. You do this as part of the LTI process by adding the client
installation files as an application, and then adding an Install Application step for the agent to
your existing operating system deployment task sequences.
By installing the MBAM client as part of the operating system deployment task sequence, MDT
installs the client automatically, which ensures that that the encryption is started or completed
before users receive their device and is protected before they start the device for the first time.
The MBAM client will be ready for use before users log on to the device for the first time.

Windows 8 includes the BitLocker Used Disk Space Only encryption
feature, which encrypts only the disk space currently in use instead of the
entire disk volume. This feature dramatically reduces the time required to
encrypt a disk volume.

By default, MDT automatically performs Used Disk Space Only encryption
when enabling BitLocker for Windows 8 deployments to reduce the
length of time required to deploy Windows 8.
The following sections describe the steps necessary to complete each task in the Deployment
Workbench:
1. Ensure that partitions on targeted devices are configured for BitLocker.
2. Enable the TPM on targeted devices.
3. Add the MBAM client to the Applications node of your deployment share.
4. Configure the MBAM client application to hide it from users in the Deployment Wizard.
5. Add an Install Application step to your existing operating system task sequences.
6. Configure the MDT BitLocker-related configuration settings.
7. Immediately initiate encryption by using the MBAM client during tasks sequences.

For more information about using MDT to install applications during
operating system deployment, see the MDT documentation.

Before you can enable with MBAM, ensure that the partitions on the targeted devices are
configured properly for BitLocker deployment. For new devices or for devices that are being
replaced, MDT automatically creates the necessary partitions to support BitLocker. When
refreshing an existing device, LTI automatically resizes and creates the necessary partitions to
support BitLocker, if there is sufficient available disk space.
Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices.
The scripts or software for enabling the TPM are different for each device manufacturer and
sometimes even across models within a device manufacturer.
By default, LTI performs BitLocker pre-provisioning for new device, refresh device, and replace
device deployment scenarios. BitLocker pre-provisioning occurs while the target device is
running Windows PE in the Preinstall phase of the task sequence. If the scripts or software for
enabling the TPM can:
Run in Windows PE, then you can support BitLocker pre-provisioning
Only run in a Windows operating system, then you must either:
Manually enable the TPM to support BitLocker pre-provisioning
Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but
still as a part of the task sequence
For more information on the TPM and BitLocker pre-provisioning, see TPM and BitLocker pre-
provisioning.
To automatically enable the TPM and support BitLocker pre-provisioning by using scripts
or software that can run in Windows PE
1. Create a network shared folder that contains the vendor-specific software for enabling the
TPM.
2. Create an MDT application that contains the software in the previous step.
3. Install the application by using the Install Application task sequence step.
Place the Install Application task sequence step in the Preinstall group immediately before
the Enable BitLocker (Offline) task sequence step.
To automatically enable the TPM by using scripts or software that can run only in a
Windows operating system (no BitLocker pre-provisioning support)
TPM.
Place the Install Application task sequence step in the State Restore group immediately
before the Enable BitLocker task sequence step.
For more information on enabling the TPM, see Enable the TPM.
Step 3: Add the MBAM client application
When you add an application to your MDT deployment share, you must specify the command
that installs it. Running MbamClientSetup.exe is the simplest way to start MBAM client
installation with MDT. You must run the 64-bit or 32-bit version of MbamClientSetup.exe, based
on the target operating system version.
The command you specify for MBAM client installation must include the /q command-line
option to perform an unattended installation. This option runs MbamClientSetup.exe with no
user interaction. If you do not include this command-line option, the Setup program stalls the
deployment process to wait for user interaction.
To add the MBAM client to your deployment share
1. In the Deployment Workbench, click Applications under Deployment
Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the
name of your deployment share).
2. In the Actions pane, click New Application.
3. Complete each page of the New Application Wizard:
Page Steps
Application Type 1. Click Application with source files.
2. Click Next.
Select the Application without source files or elsewhere on
the network check box if you already have the installation files
in a network share. For more information, see the section,
Create a New Application That Is Deployed from Another
Network Share, in the MDT documentation.
Details 1. In the Application Name box, type MBAM Client 64-bit.
2. Click Next.
The remaining text boxes on this page are optional and
informational only. Although they do not affect deployment of
the MBAM client, completing the remaining text boxes can
prove useful later when you are maintaining the deployment
share.
Source 1. In the Source directory box, type the path of the
\MBAM\Installers\2.0\x64 folder that contains
MbamClientSetup.exe.
The Source directory box supports autocomplete, but you
can click Browse to locate the files.
2. Click Next.
Page Steps
Destination 1. In the Specify the name of the directory that should be
created box, optionally edit the name of the folder that the
New Application Wizard will create in the deployment share.
The wizard suggests a name based on the publisher, name,
and version that you provided on the Details page.
2. Click Next.
Command Details 1. In the Command line box, type the command you want to
run to install the MBAM clientfor example:
MbamClientSetup.exe.exe /q
2. Click Next.
Summary 1. In the Details area, review the information that the Add New
Application Wizard collected.
2. Click Next.
Progress 1. Monitor the wizards progress as it adds the application to
your deployment share.
Confirmation 1. Review the results, and then click Finish.
If you also need to deploy the 32-bit version of MbamClientSetup.exe, repeat the New
Application Wizard, changing the following:
In step 1, in Application Name, type MBAM Client 32-bit.
In step 3, browse to the \MBAM\Installers\2.0\x86 folder.
Step 4: Configure the application
After adding the application to your MDT deployment share, configure it to hide the application
in the Deployment Wizard from users so they cannot prevent installation during deployment by
selecting the Hide this application in the Deployment Wizard check box. Hiding the
application prevents the user from selecting the application, which could create errors in the
deployment process, because the application would try to install twice and one installation
would return a failure code.
To customize the MBAM client in your deployment share
1. In the Applications node of the deployment share, right-click the MBAM client
application that you previously added, and then click Properties.
2. On the General tab of the applications Properties dialog box, select the Hide this
application in the Deployment Wizard check box.
3. Click OK.
Step 5: Edit task sequences
Install the MBAM client application during operating system deployment by adding it to task
sequences. By adding the MBAM client to your existing task sequences, you can install the agent
automatically, with no interaction from the user. This method helps to ensure that the MBAM
client is available immediately, before users log on to the computer.
To install the MBAM client in an LTI task sequence
1. In the Deployment Workbench, click Task Sequences under Deployment
Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the
name of your deployment share).
2. In the results pane, right-click the task sequence to which you want to add the MBAM
client, and then click Properties.
3. On the Task Sequence tab of the task sequences Properties dialog box, click the Install
Applications task sequence step.
This step is in the State Restore group. The task sequence editor adds the new task
sequence step immediately after this step.
4. From the Add menu, click General, and then click Install Application.
5. Click the new Install Application task sequence step that you just added, then perform
the following steps:
a. In the Name box, type Install the MBAM Client.
b. Click Install a single application, click Browse, click the MBAM client application
in the Select An Item dialog box, and then click OK.
c. Optionally, on the Options tab, select the Continue on error check box. Select
this check box only if you want the task sequence to continue running if the
MBAM client fails to install during operating system deployment.
Click OK to close the task sequences Properties dialog box.
Step 6: Configure MDT BitLocker-related settings
You can configure BitLocker-related settings by using one the following methods in LTI:
MDT properties specified in the CustomSettings.ini file or the MDT database (MDT DB)
The benefit of this method is that you can prevent configuration errors by making the
configuration settings in advance. This allows you to bypass the BitLocker page in the
Deployment Wizard. The following are the MDT properties that you must set to fully
automate BitLocker configuration for LTI deployments and bypass the BitLocker page:
BDEDriveLetter
BDEDriveSize
BDEInstall
BDEInstallSuppress
BDERecoveryKey
TPMOwnerPassword
OSDBitLockerStartupKeyDrive
OSDBitLockerWaitForEncryption
For more information these MDT properties, see the corresponding sections in the MDT
document Toolkit Reference.
The BitLocker page in the Deployment Wizard (shown in Figure 5)
The benefit of this method is that you can provide the BitLocker configuration settings at the
time of deployment. This allows the user performing the deployment to make BitLocker
configuration changes as required on a device-by-device basis at the time of deployment.

Figure 5. The BitLocker page in the Deployment Wizard
Step 7: Add a task sequence step to immediately initiate encryption by using the MBAM
client
By default, the MBAM client initiates encryption and saves the recovery keys when configured by
the MBAM Group Policy settings. However, this can leave the device in an unprotected state for
a period of time.
You can configure the MBAM client to immediately initiate encryption in a task sequence step.
For more information on how to do this, see Configure the MBAM client to immediately initiate
encryption during task sequence.
Zero Touch Installation and User-Driven Installation in MDT 2012
You can deploy the MBAM client by using the application model in System Center 2012
Configuration Manager. You create applications in the Applications node of the Configuration
Manager console. By using System Center 2012 Configuration Manager, you can use a single
deployment tool to install the MBAM client on existing computers as well as during operating
system deployment:
Deployment to existing computers. This method deploys the MBAM client to targeted
computers that already exist or deploys the MBAM client immediately after operating
system deployment is complete. The advantage of this method is that it covers both
scenarios (existing computers and new computers). This process will be discussed in the
section, System Center 2012 Configuration Manager Application Model.
Installation during operating system deployment. This method installs the MBAM
client during operating system deployment so that the agent is immediately available.
The benefit of this method is that the encryption can be started or completed before
users receive their device, and the device is protected before the user starts it for the first
time. After you create the application in the Configuration Manager console, simply add
an Install Application step to the operating system deployment task sequence. This
process is discussed in this section.
You can deploy the MBAM client during operating system deployment by using the Zero Touch
Installation (ZTI) and User-Driven Installation (UDI) processes in MDT. You do this by adding the
client installation files as an application, and then adding an Install Application step for the
agent to your existing operating system deployment task sequences.
By installing the MBAM client as part of the operating system deployment task sequence, ZTI
and UDI install the client automatically, which ensures that that the encryption is started or
completed before users receive their device and the device is protected before users starts it for
the first time.. The MBAM client will be ready for use before users log on to the device for the
first time.

Windows 8 includes the BitLocker Used Disk Space Only encryption
feature, which encrypts only the disk space currently in use instead of the
entire disk volume. This feature dramatically reduces the time required to
encrypt a disk volume.

By default, MDT automatically performs Used Disk Space Only encryption
when enabling BitLocker for Windows 8 deployments to reduce the
length of time required to deploy Windows 8.
The following tasks describe the steps necessary to complete each task:
1. Ensure that partitions on targeted devices are configured for BitLocker.
2. Enable the TPM on targeted devices.
3. Create and share a content folder for the MBAM client installation files.
4. Create a System Center 2012 Configuration Manager application for the MBAM client
installation.
5. Distribute the System Center 2012 Configuration Manager application to the distribution
points.
6. Deploy the System Center 2012 Configuration Manager application to the targeted
computers.
7. Add an Install Application step to your existing operating system task sequences.
8. Configure the MDT BitLocker-related configuration settings.
9. Immediately initiate encryption by using the MBAM client during tasks sequences.


For more information about using MDT to install applications during
operating system deployment, see the MDT documentation.
Before you can use MBAM, you need to ensure that the partitions on the targeted devices are
configured properly for BitLocker deployment. For new devices or devices that are being
replaced, MDT automatically creates the necessary partitions to support BitLocker. When
refreshing an existing device, MDT automatically resizes and creates the necessary partitions to
support BitLocker (if there is sufficient available disk space) after the operating system has been
deployed in the State Restore group.

If you want ZTI and UDI to automatically create the appropriate partitions
for the refresh device deployment scenario in ZTI and UDI, perform a
replace device deployment scenario, and treat the existing device as the
original and replacement device. In this way, you back up the user state
from the device, wipe the device, deploy the operating system, and then
restore the user state to the device. Ensure that you store the user state in
a network shared folder or in local storage on a disk other than where the
operating system will be deployed.
Before you deploy the MBAM client to the targeted devices, enable the TPM on the devices. The
scripts or software for enabling the TPM are different for each device manufacturer and
sometimes even different across models within a device manufacturer.
By default, ZTI and UDI task sequences perform BitLocker pre-provisioning for new device and
replace device deployment scenarios. BitLocker pre-provisioning occurs while the target device
is running Windows PE in the Preinstall phase of the task sequence. If the scripts or software for
enabling the TPM can:

Run in Windows PE, then you can support BitLocker pre-provisioning
Run only in a Windows operating system, you must either:
Manually enable the TPM to support BitLocker pre-provisioning
Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but
still as a part of the task sequence

If you want to use BitLocker pre-provisioning for the refresh device
deployment scenario for ZTI and UDI, perform a replace device
deployment scenario, and treat the existing device as the original and
replacement device. In this way, you back up the user state from the
device, wipe the device, deploy the operating system, and then restore
the user state to the device. Ensure that you store the user state in a
network shared folder or in local storage on a disk other than where the
operating system will be deployed.
For more information on the TPM and BitLocker pre-provisioning, see TPM and BitLocker pre-
provisioning.
To automatically enable the TPM and support BitLocker pre-provisioning by using scripts
or software that can run in Windows PE
TPM.
Place the Install Application task sequence step in the Preinstall group immediately before
the Pre-provision BitLocker task sequence step.
To automatically enable the TPM by using scripts or software that can run only in a
Windows operating system (no BitLocker pre-provisioning support)
TPM.

2. Create an MDT Application that contains the software in the previous step.
3. Install the application created in the previous step by using the Install Application task
sequence step.
Place the Install Application task sequence step in the State Restore group immediately
before the Enable BitLocker task sequence step.
Step 3: Share the installation content
When you create a System Center 2012 Configuration Manager application, you must specify a
source for the application content. The source must be a network share that is accessible to
System Center 2012 Configuration Manager, because System Center 2012 Configuration
Manager uses the contents of the source folder to create the application.
To create and share a folder for the MBAM client installation content
MBAM_Client_Setup is the name of the folder you are creating to contain the MBAM
client installation files.
2. Configure NTFS file system permissions for the folder MBAM_Client_ Setup, as Table 13
describes.
To configure NTFS file system permissions, right-click the folder, click Properties, and
then click Advanced on the Security tab.
folder
Site_Server_Account Read and
Execute
This folder, subfolders, and files

Sharing tab.
Account Permissions
Administrators Full control
Site_Server_Account Full control

4. Copy the \MBAM\Installers\2.0folder structure from the MBAM distribution media to
\\SERVER\MBAM Client Setup.
The \MBAM\Installers\2.0folder structure includes the x64 and x86 folders, which contain
the 64-bit and 32-bit versions of the MBAM client, respectively. Copy the entire
\MBAM\Installers\2.0\folder structure so that both versions are available for deployment.
Step 4: Create the MBAM client application
When you create a System Center 2012 Configuration Manager application, you must specify
the command that installs it. Although you could run MbamClientSetup.exe to install the MBAM
client, MBAMClient.msi requires less effort because of automatic detection of product codes and
other application settings. Creating applications in System Center 2012 Configuration Manager
is based on MSI files, which:
Allow System Center 2012 Configuration Manager to detect whether the application is
already installed
Use a well-known System Center 2012 Configuration Manager deployment type
Simplify the ongoing management of the MBAM client by simplifying updates
To create the MBAM client application in System Center 2012 Configuration Manager
1. In the Configuration Manager console, click the Software Library workspace.
2. In the Software Library workspace, click Applications in Overview\Application
Management.
3. In the Create group on the Ribbon, click Create Application.
4. Complete each page of the Create Application Wizard:
Page Steps
General 1. Click Manually specify the application information.
2. Click Next.
General: General
Information
1. In the Name box, type MBAM Client.
2. Select the Allow this application to be installed from the
Install Application task sequence action without being
deployed check box.
Selecting this check box allows you to use task sequence
variables to install the MBAM client.
3. Click Next.
informational. Although they do not affect the deployment of
the MBAM client, completing them can prove useful later when
you are maintaining the deployment share.
General:
Application
Catalog
1. Click Next.
The text boxes on this page are optional and prompt for
information that you want to display in the application catalog.
However, this deployment guide recommends that you hide the
MBAM client from the application catalog.
General: 1. Click Add to add a deployment type for the 64-bit version of
Page Steps
Deployment Types the MBAM client (MBAMClient.msi in the
\MBAM\Installers\2.0\x64 folder).
2. On the General page of the Create Deployment Type
Wizard, click Browse, open MBAMClient.msi from the
location in which you shared the installation sources
(e.g., \\SERVER\MBAM_Client_Setup), and then click Next.
3. On the Import Information page of the Create Deployment
Type Wizard, click Next.
4. On the General Information page of the Create
Deployment Type Wizard, perform the following steps:
a. In the Name box, append x64 to the end of the
name for easier identification later.
b. In the Installation program box, add /q to the end
of the command.
c. Click Next.
5. On the Requirements page of the Create Deployment Type
Wizard, perform the following steps:
a. Click Add.
b. Click Operating system in the Condition list.
c. In the operating system list, select All Windows 7
(64-bit) and All Windows 8 (64-bit). (Select the 64-
bit operating systems that you want to support.)
d. Click OK.
e. Click Next.
6. On the Dependencies page of the Create Deployment Type
Wizard, click Next.
7. On the Summary page of the Create Deployment Type
Page Steps
Wizard, review the deployment type details, and then click
Next.
8. On the Completion page of the Create Deployment Type
Wizard, click Close.
9. Repeat steps 1 through 8 on this page for the 32-bit version
of the MBAM client (MBAMClient.msi in the
\MBAM\Installers\2.0\x86), and then click Next.
Summary 1. In the Details area, review the information that the Create
Application Wizard collected, and then click Next.
Progress 1. Monitor the progress of the Create Application Wizard while
it creates the application.
Completion 1. Verify that the Create Application Wizard finished
successfully, and then click Close.
Step 5: Distribute the MBAM client application
After creating the MBAM client application in System Center 2012 Configuration Manager, you
must distribute the application content to your distribution points. Targeted computers will
install the MBAM client from the distribution points. You use the Distribute Content Wizard in
the Configuration Manager console to distribute the MBAM client application.
To distribute the MBAM client System Center 2012 Configuration Manager application
1. In the results pane, click MBAM Client.
2. In the Deployment group on the Ribbon, click Distribute Content.
3. Complete each page of the Distribute Content Wizard:
Page Steps
General 1. Click Next.
General: Content 1. Click Next.
General: Content
Destination
1. Click Add, and then click Distribution Point.
2. In the Add Distribution Points dialog box, select the
distribution points to which you want to distribute the
MBAM client installation content, and then click OK.
3. Click Next.
Summary 1. In the Details area, review the information that the
Distribute Content Wizard collected, and then click Next.
Progress 1. Monitor the progress of the Distribute Content Wizard while
it distributes the MBAM client installation content.
Completion 1. Verify that the Distribute Content Wizard finished
After completing the Distribute Content Wizard, verify successful distribution of the installation
content before continuing to deploy the MBAM client application. To do so, click Refresh in the
Application area of the Ribbon. Click MBAM Client in the results pane to see the distribution
status on the Summary tab at the bottom. When the content status shows that content
distribution is successful, you can deploy the MBAM client application.
Step 6: Deploy the MBAM client application
You can deploy the MBAM client application to users or devices. Because the agent is computer-
centric, Microsoft recommends that you deploy it to computer collectionsnot user collections.
You use the Deploy Software Wizard in the Configuration Manager console to deploy the
MBAM client application after you have successfully distributed it.
To deploy the MBAM client System Center 2012 Configuration Manager application
2. In the Deployment group on the Ribbon, click Deploy.
3. Complete each page of the Deploy Software Wizard:
Page Steps
General 1. Click Browse next to the Collection box.
2. In the Select Collection dialog box, click Device Collections
on the left side; on the right side, click a device collection to
which you want to deploy the MBAM client, and then click
OK.
3. Click Next.
You can choose one of the built-in collections or your own
collection. For more information about creating collections in
System Center 2012 Configuration Manager, see the TechNet
article, How to Create Collections in Configuration Manager.
Content 1. Click Next.
Deployment
Settings
1. In the Purpose list, click Required.
2. Click Next.
Selecting Required in the Purpose list forces installation of the
MBAM client application on targeted computers. System
Center 2012 Configuration Manager also reinstalls the agent if
users remove it.
Page Steps
Scheduling 1. Click Next.
User Experience 1. In the User notifications list, click Hide in Software Center
and all notifications.
2. Click Next.
Selecting Hide in Software Center and all notifications
prevents System Center 2012 Configuration Manager from
notifying users about the installation of the MBAM client. This
recommended setting prevents any user interaction or
interference with deployment.
Alerts 1. Click Next.
Summary 1. In the Details area, review the information that the Deploy
Software Wizard collected, and then click Next.
Progress 1. Monitor the progress of the Deploy Software Wizard while it
deploys the MBAM client application.
Completion 1. Verify that the Deploy Software Wizard finished successfully,
and then click Close.
Step 7: Edit task sequences
Install the MBAM client application during operating system deployment by adding the MBAM
client application to existing task sequences. In this way, you can install the client automatically,
with no interaction or interference from users. Doing so helps to ensure that the MBAM client is
available immediately, before users log on to the computer.
To install the MBAM client in a System Center 2012 Configuration Manager task sequence
2. In the Software Library workspace, click Task Sequences in Overview\Operating Systems.
3. In the results pane, right-click the task sequence to which you want to add the MBAM
client, and then click Edit.
4. Click the Install Applications group under the State Restore group. The task sequence
editor adds the new step in this group.
5. From the Add menu, click General, and then click Install Application.
6. Click the new Install Application task sequence step that you just added, then perform
the following steps:
a. In the Name box, type Install the MBAM Client.
b. Click New (the button that looks like a star), click the MBAM client application in
the Select The Application To Install dialog box, and then click OK.
c. Optionally, on the Options tab, select the Continue on error check box.
Select this check only if you want the task sequence to continue running if the
MBAM Client fails to install during operating system deployment.
7. Click OK to close the Task Sequence Editor dialog box.
Step 8: Configure MDT BitLocker-related settings
You can configure BitLocker-related settings by using one the following methods in MDT:
MDT properties specified in the CustomSettings.ini file or the MDT DB
This method must be used in ZTI deployments. You can use this method for UDI
deployments to help prevent configuration errors by making the configuration settings in
advance. Doing so allows you to bypass the BitLocker page in the UDI Wizard. The following
are the MDT properties that you must set to fully automate BitLocker configuration for ZTI
deployments or bypass the BitLocker page in the UDI Wizard for UDI deployments:
BDEDriveLetter
BDEDriveSize
BDEInstall
BDEInstallSuppress
BDERecoveryKey
TPMOwnerPassword
OSDBitLockerStartupKeyDrive
OSDBitLockerWaitForEncryption
For more information on these MDT properties, see the corresponding sections in the MDT
document Toolkit Reference.
BitLocker page in the UDI Wizard (as shown in Figure 6)
The benefit of this method is that you can provide the BitLocker configuration settings at the
time of deployment. This allows the user performing the deployment to make BitLocker
configuration changes as required on a device-by-device basis at the time of deployment.

Figure 6. BitLocker Page in the UDI Wizard
Step 9: Add a task sequence step to immediately initiate encryption by using the MBAM
client
By default, the MBAM client initiates encryption and saves the recovery keys when configured by
the MBAM Group Policy settings. However, this process can leave the device in an unprotected
state for a period of time.
You can configure the MBAM client to immediately initiate encryption in a task sequence step.
For more information on how to do this, see Configure the MBAM client to immediately initiate
encryption during task sequence.
System Center 2012 Configuration Manager Application Model
You can deploy the MBAM client by using the application model in System Center 2012
Configuration Manager. You create applications in the Applications node of the Configuration
Manager console. By using System Center 2012 Configuration Manager, you can use a single
deployment tool to install the MBAM client on existing computers as well as during operating
system deployment:
Deployment to existing computers. This method deploys the MBAM client to targeted
computers that already exist or deploys the MBAM client immediately after operating
system deployment is complete. The advantage of this method is that it covers both
scenarios (existing computers and new computers). This process is discussed in this
section.
Installation during operating system deployment. This method installs the MBAM
client during operating system deployment so that the agent is immediately available.
The benefit of this method is that the encryption can be started or completed before
users receive their device, and the device is protected before the user starts it for the first
time. After you create the application in the Configuration Manager console, simply add
an Install Application step to the operating system deployment task sequence. This
process was discussed in the section, Zero Touch Installation and User-Driven Installation
in MDT 2012.

You can also deploy the MBAM client by using the package and program
feature in System Center Configuration Manager 2007. For more
information on how to deploy software using the package and program
feature, see Tasks for Software Distribution.
The following sections describe the steps necessary to complete each task in the Configuration
Manager console:
1. Ensure that the partitions on the targeted devices are configured for BitLocker.
2. Enable the TPM on targeted devices (if not already enabled).
3. Create and share a content folder for the MBAM client installation files.

4. Create a System Center 2012 Configuration Manager application for the MBAM client
installation.
5. Distribute the System Center 2012 Configuration Manager application to the distribution
points.
6. Deploy the System Center 2012 Configuration Manager application to the targeted
computers.

You can automate the steps listed above by creating a custom System
Center Configuration Manager task sequence. For more information, see
the section, To create a custom task sequence, in the TechNet article
How to Create Task Sequences.
For more information about using System Center 2012 Configuration Manager to deploy
applications, see the Microsoft TechNet article, System Center Technical Resources.
Before you can enable with MBAM, ensure that the partitions on the targeted devices are
configured properly for BitLocker deployment. Because this section focuses on deploying the
MBAM client on existing devices, the deployment is always performed on devices where the
operating system has been deployed. Ensure that the partitions on the targeted devices are
configured properly for BitLocker deployment as described in the section, BitLocker partition
configuration requirements in this guide.


Before you deploy the MBAM client to the targeted devices, enable the TPM on the devices. You
can manually enable the TPM on the targeted devices or automate enabling the TPM on the
targeted devices by using scripts or software. The scripts or software for enabling the TPM are
different for each device manufacturer and sometimes even different across models within a
device manufacturer.
To automatically enable the TPM by using scripts or software
TPM.
2. Create a System Center 2012 Configuration Manager application that contains the
software in the previous step.
3. Distribute the application to the distribution points.
4. Deploy the application to the appropriate user or device collections.
Step 3: Share the installation content
When you create a System Center 2012 Configuration Manager application, you must specify a
source for the application content. The source must be a network share that is accessible to
System Center 2012 Configuration Manager, because System Center 2012 Configuration
Manager uses the contents of the source folder to create the application.
To create and share a folder for the MBAM client installation content
2. Configure NTFS file system permissions for the folder MBAM_Client_ Setup, as Table 13
describes.
folder
Site_Server_Account Read and
Execute
This folder, subfolders, and files

Sharing tab.
Account Permissions
Administrators Full control
Site_Server_Account Full control

\MBAM\Installers\2.0\folder structure so that both versions are available for deployment.
Step 4: Create the MBAM client application
When you create a System Center 2012 Configuration Manager application, you must specify
the command that installs it. Although you could run MbamClientSetup.exe to install the MBAM
client, MBAMClient.msi requires less effort because of automatic detection of product codes and
other application settings. Creating applications in System Center 2012 Configuration Manager
is based on MSI files, which:
Allow System Center 2012 Configuration Manager to detect whether the application is
already installed
Use a well-known System Center 2012 Configuration Manager deployment type
Simplify the ongoing management of the MBAM client by simplifying updates
To create the MBAM client application in System Center 2012 Configuration Manager
2. In the Software Library workspace, click Applications in Overview\Application
Management.
3. In the Create group on the Ribbon, click Create Application.
4. Complete each page of the Create Application Wizard:
Page Steps
General 1. Click Manually specify the application information.
2. Click Next.
Page Steps
General: General
Information
1. In the Name box, type MBAM Client.
2. Select the Allow this application to be installed from the
Install Application task sequence action without being
deployed check box.
Selecting this check box allows you to use task sequence
variables to install the MBAM client.
3. Click Next.
informational. Although they do not affect the deployment of
the MBAM client, completing them can prove useful later when
you are maintaining the deployment share.
General:
Application
Catalog
1. Click Next.
The text boxes on this page are optional and prompt for
information that you want to display in the application catalog.
However, this deployment guide recommends that you hide the
MBAM client from the application catalog.
General:
Deployment Types
1. Click Add to add a deployment type for the 64-bit version of
the MBAM client (MBAMClient.msi in the
\MBAM\Installers\2.0\x64 folder).
2. On the General page of the Create Deployment Type
Wizard, click Browse, open MBAMClient.msi from the
location in which you shared the installation sources
(e.g., \\SERVER\MBAM_Client_Setup), and then click Next.
3. On the Import Information page of the Create Deployment
Type Wizard, click Next.
4. On the General Information page of the Create
Page Steps
Deployment Type Wizard, perform the following steps:
a. In the Name box, append x64 to the end of the
name for easier identification later.
b. In the Installation program box, add /q to the end
of the command.
c. Click Next.
5. On the Requirements page of the Create Deployment Type
Wizard, perform the following steps:
a. Click Add.
b. Click Operating system in the Condition list.
c. In the operating system list, select All Windows 7
(64-bit) and All Windows 8 (64-bit). (Select the
64-bit operating systems that you want to support.)
d. Click OK.
e. Click Next.
6. On the Dependencies page of the Create Deployment Type
Wizard, click Next.
7. On the Summary page of the Create Deployment Type
Wizard, review the deployment type details, and then click
Next.
8. On the Completion page of the Create Deployment Type
Wizard, click Close.
9. Repeat steps 1 through 8 on this page for the 32-bit version
of the MBAM client (MBAMClient.msi in the
\MBAM\Installers\2.0\x86), and then click Next.
Page Steps
Summary 1. In the Details area, review the information that the Create
Application Wizard collected, and then click Next.
Progress 1. Monitor the progress of the Create Application Wizard while
it creates the application.
Completion 1. Verify that the Create Application Wizard finished

If you decided to automatically enable the TPM by using a script or
software in Step 2: Enable the TPM on targeted devices, make certain you
set the application created in that step as a dependency for the
deployment type for the application created in this step. For more
information on creating System Center 2012 Configuration Manager
application dependencies, see Step 7: Specify Dependencies for the
Deployment Type on TechNet.
Step 5: Distribute the MBAM client application
After creating the MBAM client application in System Center 2012 Configuration Manager, you
must distribute the application content to your distribution points. Targeted computers install
the MBAM client from the distribution points. You use the Distribute Content Wizard in the
Configuration Manager console to distribute the MBAM client application.
To distribute the MBAM client System Center 2012 Configuration Manager application
2. In the Deployment group on the Ribbon, click Distribute Content.

3. Complete each page of the Distribute Content Wizard:
Page Steps
General 1. Click Next.
General: Content 1. Click Next.
General: Content
Destination
1. Click Add, and then click Distribution Point.
2. In the Add Distribution Points dialog box, select the
distribution points to which you want to distribute the
MBAM client installation content, and then click OK.
3. Click Next.
Summary 1. In the Details area, review the information that the
Distribute Content Wizard collected, and then click Next.
Progress 1. Monitor the progress of the Distribute Content Wizard while
it distributes the MBAM client installation content.
Completion 1. Verify that the Distribute Content Wizard finished
After completing the Distribute Content Wizard, verify successful distribution of the installation
content before continuing to deploy the MBAM client application. To do so, click Refresh in the
Application area of the Ribbon. Click MBAM Client in the results pane to see the distribution
status on the Summary tab at the bottom. When the content status shows that content
distribution is successful, you can deploy the MBAM client application.
Step 6: Deploy the MBAM client application
You can deploy the MBAM client application to users or devices. Because the agent is computer-
centric, Microsoft recommends that you deploy it to computer collectionsnot user collections.
You use the Deploy Software Wizard in the Configuration Manager console to deploy the
MBAM client application after you have successfully distributed it.
To deploy the MBAM client System Center 2012 Configuration Manager application
2. In the Deployment group on the Ribbon, click Deploy.
3. Complete each page of the Deploy Software Wizard:
Page Steps
General 1. Click Browse next to the Collection box.
2. In the Select Collection dialog box, click Device Collections
on the left side; on the right side, click a device collection to
which you want to deploy the MBAM client, and then click
OK.
3. Click Next.
You can choose one of the built-in collections or your own
collection. For more information about creating collections in
System Center 2012 Configuration Manager, see the TechNet
article, How to Create Collections in Configuration Manager.
Content 1. Click Next.
Page Steps
Deployment
Settings
1. In the Purpose list, click Required.
2. Click Next.
Selecting Required in the Purpose list forces installation of the
MBAM client application on targeted computers. System
Center 2012 Configuration Manager also reinstalls the agent if
users remove it.
Scheduling 1. Click Next.
User Experience 1. In the User notifications list, click Hide in Software Center
and all notifications.
2. Click Next.
Selecting Hide in Software Center and all notifications
prevents System Center 2012 Configuration Manager from
notifying users about the installation of the MBAM client. This
recommended setting prevents any user interaction or
interference with deployment.
Alerts 1. Click Next.
Summary 1. In the Details area, review the information that the Deploy
Software Wizard collected, and then click Next.
Progress 1. Monitor the progress of the Deploy Software Wizard while it
deploys the MBAM client application.
Page Steps
Completion 1. Verify that the Deploy Software Wizard finished successfully,
and then click Close.
Scripted installation
If you do not use MDT or System Center 2012 Configuration Manager to deploy applications in
your environment and you do not want to use Group Policy software installation, you can script
installation by using batch scripts, Windows PowerShell scripts, and so on. With this technique,
you are essentially performing a command-line installation. You can use the same technique to
install the MBAM client by using any non-Microsoft ESD system.
The following sections describe the steps necessary to complete each task:
1. Ensure that the partitions on the targeted devices are configured for BitLocker.
2. Enable the TPM on targeted devices (if not already enabled).
3. Create and share a folder containing the MBAM client installation files.
4. Run MbamClientSetup.exe from the network share containing the installation files.
Before you can use MBAM, you need to ensure that the partitions on the targeted devices are
configured properly for BitLocker deployment. Because this section focuses on deploying the
MBAM client on existing devices, the deployment is always performed on devices where the
operating system has been deployed. Ensure that the partitions on the targeted devices are
configured properly for BitLocker deployment as described in the section, BitLocker partition
configuration requirements, in this guide.

Before you deploy the MBAM client to the targeted devices, enable the TPM on them. You can
manually enable the TPM on the targeted devices or automate the process by using scripts or
software. The scripts or software for enabling the TPM are different for each device
manufacturer and sometimes even different across models within a device manufacturer.
To automatically enable the TPM by using scripts or software
TPM.
2. Create a batch file or script that runs the software in the previous step.
3. Ensure that you run the software to enable the TPM prior to running
MbamClientSetup.exe and installing the MBAM client.
Step 3: Share the installation files
Create a network share that contains the MBAM client installation files. This network share must
be accessible to all computers on which you want to install the MBAM client. You can give Read
access to the Domain Computers group or to the Authenticated Users group.
To create and share a folder for the MBAM client installation files
2. Configure NTFS file system permissions for the folder MBAM_Client_Setup, as Table 15
describes.

folder
Authenticated Users Read and Execute This folder, subfolders, and files

3. Share the folder MBAM_Client_ Setup by using the permissions that Table 16 describes.
To configure share permissions, right-click the folder, click Properties, and then click the
Sharing tab.
Account Permissions
Authenticated Users Read

\MBAM\Installers\2.0 folder structure so that both versions are available for deployment.
Step 4: Run MbamClientSetup.exe
For a scripted installation, the command you use to install the MBAM client must include the /q
command-line option to perform an unattended installation. This option runs
MbamClientSetup.exe with no user interaction, as shown in the following example. If you do not
include this command-line option, the Setup program stalls the deployment process to wait for
user interaction.
MbamClientSetup.exe /q

You must run the 64-bit or 32-bit version of MbamClientSetup.exe, based on the target
operating system version.

Installing the MBAM client remotely
You must install the MBAM client from an elevated command prompt.
Therefore, users with restricted accounts cannot run scripts that install
the MBAM client. A variety of tools and techniques are available to
work around this limitation. Examples include:
Use Windows PowerShell Remoting to run the MBAM client Setup program on a list
of remote computers. For more information about Windows PowerShell Remoting,
see the TechNet article, Running Remote Commands.
Use the Windows Sysinternals PsExec tool to run processes remotely with specific
credentials. For more information about PsExec and the other amazing tools in the
Sysinternals toolset, see the TechNet article, PsTools.
Use Group Policy preferences to schedule a job in Task Scheduler that runs the
Microsoft User Experience Virtualization Agent installation on targeted computers
with credentials that you specify in the task. For more information about scheduling
tasks by using Group Policy preferences, see the TechNet article, Configure a
Scheduled Task Item.
In addition, many non-Microsoft tools are available to script the installation of programs
that require elevated permissions. Many of them are free or have a nominal cost.

MBAM DEPLOYMENT GUIDE | VALIDATING THE MBAM INFRASTRUCTURE 75
Validating the MBAM infrastructure
After deploying the MBAM server and client, verify that the MBAM infrastructure is working
properly. You can validate the MBAM infrastructure by performing some common BitLocker
management tasks in MBAM. For more information about how to perform BitLocker
management tasks by using MBAM, see the section, Performing BitLocker Management with
MBAM, in the Microsoft BitLocker Administration and Monitoring 2 Administrators Guide,
which is available on TechNet.
Use the MBAM Self-Service Portal to regain access to a device
You can prevent users from accessing their BitLocker-enabled devices if they forget their
password or PIN, changed operating system files, changed the BIOS, or changed the TPM. Users
can regain access to their device without assistance from the help desk by using the MBAM Self-
Service Portal.
To use the MBAM Self-Service Portal to regain access to a device
1. In Internet Explorer, browse to the MBAM Self-Service Portal.
2. In Recovery KeyId, enter a minimum of eight digits from the 32-digit BitLocker Key ID
displayed on the BitLocker recovery page of the inaccessible device.
3. In Reason, select a reason for the recovery key request, and then click Get Key.
The MBAM Self-Service Portal obtains and displays the 48-digit BitLocker recovery key in
Your BitLocker Recovery Key.
4. Enter the 48-digit BitLocker recovery key on the BitLocker recovery page on the
inaccessible device.
5. The device can now be successfully started.
For more information about how to regain access to a device by using the MBAM Self-
Service Portal and other BitLocker management tasks that you can perform, see the
section, Performing BitLocker Management with MBAM, in the Microsoft BitLocker
Administration and Monitoring 2 Administrators Guide, which is available on TechNet.
Determine the BitLocker encryption state of lost or stolen devices
A common concern for most organizations is the loss or theft of a device that contains sensitive
information. A BitLocker-protected device helps prevent unauthorized users from accessing the
sensitive information on such a device. IT pros can determine which volumes on a device are
protected and better assess the risk associated with the loss or theft of the device.
To determine the BitLocker encryption state of lost or stolen devices
1. In Internet Explorer, browse to the MBAM website.
2. In the navigation pane, in the Report node, click Computer Compliance Report.
3. In the results pane, select the appropriate filter fields to narrow the search results, and
then click Search.
Search results are shown in the list box below. Device protection is determined by the
deployed BitLocker policies, which reflect the BitLocker encryption state of a device.
For more information about how to determine the BitLocker encryption state of a device by
using MBAM and other BitLocker management tasks that you can perform by using MBAM, see
the section, Performing BitLocker Management with MBAM, in the Microsoft BitLocker
Administration and Monitoring 2 Administrators Guide, which is available on TechNet.

Use a help desk portal to reset a TPM lockout
You can prevent users from accessing their BitLocker-enabled device if they enter an incorrect
PIN too many times, which results in a TPM lockout. The number of times a user can enter an
incorrect PIN before the TPM locks varies by manufacturer. You can help users regain access to
their devices by using the MBAM Help Desk Portal to reset the TPM lockout.

You can reset a TPM lockout only if MBAM was used to initially provision
the TPM. If the TPM was provisioned prior to MBAM deployment, the TPM
data may be stored in AD DS if the appropriate Group Policy settings
were configured and you cannot reset a TPM lockout by using MBAM.
To use the MBAM administration website to reset a TPM lockout
1. In Internet Explorer, browse to the MBAM administration website.
2. In the navigation pane, click Manage TPM.
3. Enter the following information, and then click Submit:
Fully qualified domain name of the locked device
Computer name of the locked device
Windows logon domain for the user
User name of the user
Reason for requesting the TPM owner password file
The MBAM Help Desk Portal returns one of the following results:
The TPM owner password file for the device
A message indicating that no matching TPM owner password file was found
4. Click Save.
Doing so saves the TPM owner password file.

5. Run the TPM management console, select the Reset TPM lockout option, and provide
the TPM owner password file to reset the TPM lockout.

The TPM hash value and TPM owner password should only be
used by authorized help desk and support personnel for the
purpose of resolving a TPM lockout scenario. Microsoft does not
recommend providing this information directly to users, because
the TPM information does not change and could pose a security
risk if the information does not remain secure.
For more information about how to reset a TPM lockout and other BitLocker management
tasks that you can perform with MBAM, see the section, Performing BitLocker Management
with MBAM, in the Microsoft BitLocker Administration and Monitoring 2 Administrators
Guide, which is available on TechNet.

MBAM DEPLOYMENT GUIDE | CONCLUSION 79
Conclusion
Deploying MBAM can be easy and requires minimal updates to your existing infrastructure. You
can deploy the MBAM server components in a stand-alone topology or, if you want to integrate
with an existing System Center Configuration Manager infrastructure, a Configuration Manager
topology. In either case, you can evaluate MBAM on a single server or deploy the MBAM server
components in your production environment on multiple servers so that you can scale to a size
appropriate for your organization.
With the infrastructure in place, you can use highly automated processes such as Group Policy,
MDT, System Center Configuration Manager, or scripted installation methods to deploy the
MBAM client and provision BitLocker on user devices. From there, use the MBAM Group Policy
template to provide ongoing management of the MBAM client.
Download MBAM today to evaluate its deployment in your organization. MBAM is part of
MDOP, and MDOP is available to TechNet subscribers and MSDN subscribers. MDOP is also
available for purchase if you have Software Assurance on Windows client (including Windows
Intune subscribers).
For more information about MBAM, see:
The Microsoft Desktop Optimization Pack website to learn more about its business benefits
The Microsoft BitLocker Administration and Monitoring content on TechNet for technical
information, including videos that provide an overview and demonstrate how to set up and
configure MBAM

Bitlocker Deployment Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bitlocker Deployment Guide

Uploaded by

Copyright:

Available Formats

Microsoft BitLocker

You might also like