MBAM Deployment Guide

Microsoft BitLocker Administration and Monitoring Deployment Guide Microsoft BitLocker Administration and Monitoring (MBAM) is an enterprisescalable solution for managing BitLocker technologies, such as BitLocker Drive Encryption and BitLocker To Go. MBAM, which is part of the Microsoft Desktop Optimization Pack, helps you improve security compliance on devices by simplifying the process of provisioning, managing, and supporting BitLockerprotected devices. This guide helps you choose a deployment method for MBAM and provides step-by-step instructions for each method.

MBAM DEPLOYMENT GUIDE

| INTRODUCTION 1

Introduction Organizations rely on BitLocker Drive Encryption and BitLocker To Go to protect data on computers and removable drives running the Windows 8 or Windows 7 operating systems and Windows to Go. Microsoft BitLocker Administration and Monitoring (MBAM) version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance, makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives.

For BitLocker To Go–protected drives, BitLocker stores the recovery keys but does not monitor encryption.

The key benefits of using MBAM to manage BitLocker technologies include: 

Simplified provisioning and management. BitLocker deployment is easier with MBAM, because MBAM can be integrated with existing automated provisioning and deployment processes to ensure that existing and new devices are protected. You can provision BitLocker as a part of or after operating system deployment, then use Group Policy settings for ongoing BitLocker management and compliance enforcement.



Improved compliance and reporting. Encryption and protection of sensitive information are essential to organizational compliance programs. MBAM includes builtin reports that provide the current BitLocker encryption status of devices. MBAM also audits access to BitLocker recovery keys and can provide reports on who accessed specific recovery key information.



Reduced support effort. A customized MBAM Control Panel app replaces the default BitLocker Control Panel item and allows users to manage local MBAM and BitLocker configuration. Secure, web-based recovery key management portals allow help desk staff


| INTRODUCTION 2

and users recover BitLocker-enabled devices. Together, the customized Control Panel app and these portals allow users and IT staff to perform common tasks, such starting the encryption process or managing the BitLocker PIN, without you having to grant administrative rights to the managed devices. Enabling self-service support helps reduce BitLocker-related help desk tickets by empowering users and making IT staff more efficient and effective. To learn more about taking advantage of MBAM in your business, see the Microsoft BitLocker Administration and Monitoring content on the Microsoft Desktop Optimization Pack website. This guide describes how to deploy MBAM, with a focus on automating the deployment and configuration of the MBAM client to managed devices. It first describes the MBAM components. Then, it shows you how to prepare for deployment and provides step-by-step instructions for deploying the MBAM client by using the following tools and technologies: 

Group Policy software installation



Microsoft Deployment Toolkit (MDT) 2012



Microsoft System Center 2012 Configuration Manager



Scripted installation (e.g., command prompt)


| MBAM COMPONENTS 3

MBAM components MBAM uses a client–server model to manage BitLocker. You can deploy MBAM in either a stand-alone or MBAM Configuration Manager topology. Each topology is discussed in subsequent sections.

MBAM stand-alone topology You use the MBAM stand-alone topology (illustrated in Figure 1) when your organization does not have an existing System Center Configuration Manager infrastructure. In this topology, MBAM and Microsoft SQL Server provide all the necessary components. If your organization has a System Center Configuration Manager infrastructure, see MBAM Configuration Manager topology.


| MBAM COMPONENTS 4

Figure 1. MBAM stand-alone topology Table 1 describes the computers and devices in this topology and provides a brief description of MBAM components and the role of each computer and device.

Table 1. Computers and devices in the MBAM stand-alone topology Computer or device

Description

Administration and Monitoring Server

The following features are installed on this server: 

Administration and Monitoring Server. The Administration and Monitoring Server feature is installed on a machine running the Windows Server operating system and consists of the Administration and Monitoring website, which includes the reports and the Help Desk Portal, and the monitoring web services.



Self-Service Portal. The Self-Service Portal is installed on a machine running Windows Server. The portal enables users on client computers to independently log on to a website, where they can obtain a key to recover a locked BitLocker volume.


| MBAM COMPONENTS 5

Computer or device

Description

Database Server


Recovery Database. The Recovery Database is installed on a machine running Windows Server and a supported instance of SQL Server. This database stores recovery data collected from MBAM client computers.



Compliance and Audit Database. The Compliance and Audit Database is installed on a machine running Windows Server and a supported instance of SQL Server. This database stores compliance data for MBAM client computers, which is used primarily for reports that Microsoft SQL Server Reporting Services hosts.



Compliance and Audit Reports. The Compliance and Audit Reports are installed on a machine running Windows Server and a supported instance of SQL Server that has the SQL Server Reporting Services feature installed. They provide MBAM reports that you can access from the Administration and Monitoring website or directly from the SQL Server Reporting Services server.

Management workstation

The following feature is installed on the Management workstation, which can be a computer running Windows Server or a client operating system: 

Policy Template. The Policy Template consists of Group Policy settings that define MBAM implementation settings for BitLocker. You can install the Policy Template on any server or workstation, but it is commonly installed on a management workstation, which is a supported Windows Server machine or client computer. The workstation does not have to be a dedicated computer.


| MBAM COMPONENTS 6

Computer or device

Description

Managed device

The MBAM client is installed on the managed Windows device and has the following characteristics:

Active Directory Domain Services (AD DS) domain controller



Uses Group Policy to enforce the BitLocker encryption of client computers in the enterprise



Collects the recovery key for the three BitLocker data drive types: operating system drives, fixed data drives, and removable data (USB) drives



Collects compliance data for the computer and passes the data to the reporting system The following feature is installed on the domain controller:




MBAM Configuration Manager topology Use the MBAM Configuration Manager topology (illustrated in Figure 2) when your organization has an existing System Center Configuration Manager infrastructure. In this topology, the MBAM components are distributed across the MBAM Administration and Monitoring Server, SQL Server, and System Center Configuration Manager. In this topology, System Center Configuration Manger runs some of the MBAM components. MBAM supports System Center 2012 Configuration Manager with Service Pack 1 (SP1), System Center 2012


| MBAM COMPONENTS 7

Configuration Manager, and Microsoft System Center Configuration Manager 2007 infrastructures.

Windows to Go is not supported when you install the System Center Configuration Manager topology with System Center Configuration Manager 2007.

If your organization does not have a System Center Configuration Manager infrastructure, see MBAM stand-alone topology.


| MBAM COMPONENTS 8

Figure 2. MBAM Configuration Manager topology The placement of the MBAM components in the MBAM Configuration Manager topology is similar to the MBAM stand-alone topology. Table 2 describes the computers and devices in the MBAM Configuration Manager topology (illustrated in Figure 2) and provides a brief description of the MBAM components and role of each computer and device.

Table 2. Computers and devices in the MBAM Configuration Manager topology Computer or device

Description

Administration and Monitoring Server


Administration and Monitoring Server. The Administration and Monitoring Server feature is installed on a machine running Windows Server and consists of the Administration and Monitoring website, which includes the reports, the Help Desk Portal, and the monitoring web services.



Self-Service Portal. The Self-Service Portal is installed on a machine running Windows Server. It enables users on client computers to independently log on to a website, where they can obtain a key to recover a locked BitLocker volume.


| MBAM COMPONENTS 9

Computer or device

Description

Database Server


Recovery Database. The Recovery Database is installed on a machine running Windows Server and a supported instance of SQL Server. This database stores recovery data collected from MBAM client computers.



Audit Database. The Audit Database is installed on a machine running Windows Server and a supported instance of SQL Server. This database stores audit activity data for MBAM client computers that have accessed recovery data.

Configuration Manager Primary Site Server

The Configuration Manager Site Server collects the hardware inventory information from client computers and is used to report the BitLocker compliance of client computers. The following features are installed on this server: 

Compliance Reports. The Compliance Reports are installed on the machine running the Reporting Services point site system role. They provide MBAM reports that you can access from the Configuration Manager console or directly from the SQL Server Reporting Services server on the Reporting Services point.



Audit Reports. The Compliance and Audit Reports are installed on a machine running Windows Server and a supported instance of SQL Server that has the SQL Server Reporting Services feature installed. They provide MBAM reports that you can access from the Administration and Monitoring website or directly from the SQL Server Reporting Services server.


| MBAM COMPONENTS 10

Computer or device

Description

Management workstation

The following feature is installed on the Management workstation, which can be run Windows Server or a client operating system: 




Configuration Manager console. The Configuration Manager console is used to view MBAM reports.

Managed device

The MBAM client and Configuration Manager client are installed on the managed Windows device and have the following characteristics: 

Use Group Policy to enforce the BitLocker encryption of client computers in the enterprise



Collect the recovery key for the three BitLocker data drive types: operating system drives, fixed data drives, and removable data (USB) drives



Enable System Center Configuration Manager to collect hardware compatibility data about client computers



Enable System Center Configuration Manager to report compliance information


| MBAM COMPONENTS 11

Computer or device

Description

AD DS domain controller

The following feature is installed on the domain controller: 



| PREPARING FOR DEPLOYMENT 12

Preparing for deployment MBAM requires the following services and features for both the stand-alone and Configuration Manager topologies: 

AD DS. MBAM requires an AD DS infrastructure and that the MBAM clients be domain members. MBAM supports the Windows Server 2008 domain functional level or later.



SQL Server. MBAM requires SQL Server for storing MBAM compliance, audit, and recovery information. MBAM also requires SQL Server Reporting Services for MBAM reports. For more information on SQL Server requirements, see the section, “SQL Server Database Requirements,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on Microsoft TechNet. For more information about deploying SQL Server in the: 

Stand-alone topology, see Deploying MBAM in the stand-alone topology



Configuration Manager topology, see Deploying MBAM in the Configuration Manager topology



Group Policy. You manage MBAM client configuration by using Group Policy settings. MBAM allows you to manage BitLocker and MBAM settings from a single template. For more information, see Deploying the MBAM Group Policy settings.



Web server (Microsoft Internet Information Services [IIS]). The Administration and Monitoring website and the Self-Service Portal run on IIS, which is installed as part of the Web Server (IIS) server role.


| DEPLOYING THE MBAM SERVER 13

Deploying the MBAM server You can deploy the MBAM server in either the MBAM stand-alone or MBAM Configuration Manager topology. You will deploy the MBAM server components on different computers (virtual or physical) depending on your scale requirements and the MBAM deployment topology you choose. Regardless of the MBAM deployment topology selected, Microsoft recommends dedicating two computers to MBAM—one for running MBAM web server components and one for running SQL Server.

You can deploy MBAM in a single-server configuration. However, this configuration is recommended for use only in test environments. For production environments, Microsoft recommends that you use the twoserver deployment configuration.

Select the MBAM deployment topology Which MBAM deployment topology you choose is based on whether you have System Center Configuration Manager. Use the information in Table 3 to determine which MBAM deployment topology is right for you.

Table 3. MBAM deployment topologies and when to select them Topology

Description

Stand-alone topology

Select this topology when your organization does not have an existing System Center Configuration Manager infrastructure or is not planning to deploy a System Center Configuration Manager infrastructure prior to deploying MBAM.



Topology

Description

Configuration Manager topology

Select this topology when your organization has an existing System Center Configuration Manager infrastructure or is planning to deploy a System Center Configuration Manager infrastructure prior to deploying MBAM. MBAM supports System Center 2012 Configuration Manager with SP1, System Center 2012 Configuration Manager, and System Center Configuration Manager 2007.

Deploy MBAM in the stand-alone topology Deploying MBAM in the stand-alone topology typically uses two computers (physical or virtual) for the MBAM components. The two-computer configuration is recommended for production environments. Installation of all MBAM components on one computer is possible but recommended only for lab or evaluation environments or small production environments. The MBAM stand-alone topology is illustrated in Figure 1 in the section, “MBAM stand-alone topology,“ earlier in this guide. To deploy MBAM in the stand-alone topology, perform the following steps: 1. Deploy a supported version of SQL Server on the designated computer. For more information about the versions of SQL Server that MBAM supports, see the section, “SQL Server Database Requirements,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet. 2. Configure SQL Server to support encrypted connections to the SQL Server Database Engine (optional). If you plan to secure communication between the MBAM client and the web services, you should also secure communication to the SQL Server Database Engine by enabling encrypted connections to it. For more information about how to do so, see Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager). 3. Ensure that the computer that will run the MBAM web server components has the necessary prerequisites.



The MBAM Web Server Installation Wizard automatically checks prerequisites before installing the MBAM web server components.

For more information about MBAM server prerequisites, see the section, “Installation Prerequisites for MBAM Server Features,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is included with MBAM. 4. Install the MBAM server components. For more information about how to install the MBM server components in the MBAM stand-alone topology, see the section, “How to Install and Configure MBAM on Distributed Servers,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is included with MBAM.

Deploy MBAM in the Configuration Manager topology Deploying MBAM in the Configuration Manager topology typically uses two computers (physical or virtual) for the MBAM components. The two-computer configuration is recommended for production environments. Installation of all MBAM components on one computer is possible but recommended only for lab or evaluation environments or small production environments. In addition, this topology requires a System Center Configuration Manager infrastructure. MBAM has no additional system requirements for System Center Configuration Manager beyond the standard system requirements. For more information about the system requirements for: 

System Center 2012 Configuration Manager, see Supported Configurations for Configuration Manager



System Center Configuration Manager 2007, see Configuration Manager Supported Configurations

To deploy MBAM in the Configuration Manager topology, perform the following steps: 1. Deploy a supported version of SQL Server.



For more information about the versions of SQL Server that MBAM supports, see the sections, “SQL Server Database Requirements” and “SQL Server Processor, RAM, and Disk Space Requirements,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet. 2. Configure the System Center Configuration Manager permissions required to install MBAM. For more information about how to do so, see the section, “Required Permissions to Install the MBAM Server,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet. 3. Edit and import the configuration.mof file. For more information about how to do so, see the section, “Edit the Configuration.mof File,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet. 4. Edit and import the sm_def.mof file. For more information about how to do so, see the section, “Create or Edit the Sms_def.mof File,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet. 5. Install the MBAM web server components. For more information about how to install the MBM web server components in the MBAM Configuration Manager topology, see the section, “How to Install MBAM with the Configuration Manager Topology,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.


| DEPLOYING THE MBAM GROUP POLICY SETTINGS

17

Deploying the MBAM Group Policy settings You use Group Policy settings to manage the MBAM client, and MBAM includes an administrative template that you use to configure these settings. When you use the template, a Group Policy object (GPO) containing the MBAM client Group Policy settings will be created; you then link this GPO to the appropriate organizational units (OUs) in your AD DS hierarchy at which point the policies will be deployed to the applicable members of the OU.

Install the MBAM Group Policy administrative template MBAM includes a Group Policy administrative template that exposes all of the BitLocker and MBAM client configuration settings in the Group Policy Editor. Install the MBAM Group Policy administrative template on every computer from which you manage MBAM Group Policy, such as domain controllers or administrative workstations. You can also install the Group Policy administrative template in the Active Directory central store. You install the MBAM Group Policy Template by running the MBAM Server Setup Wizard (MbamSetup.exe), which is in the \MBAM\Installers\x64 folder on the MBAM source media. To install the MBAM Group Policy templates, select only the Policy Template feature on the Select features to install page in the MBAM Server Setup Wizard (as shown in Figure 3).



18

Figure 3. The Select features to install wizard page For more information on how to install the MBAM Group Policy template, see the section, “How to Install the MBAM 2.0 Group Policy Template,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.

Create the MBAM Group Policy settings The MBAM Group Policy administrative template defines policy settings for the MBAM client. Microsoft recommends that you create a new GPO for each set of unique MBAM Group Policy settings you need. For example, if you have two groups within your organization that will have different configurations for BitLocker, create two GPOs—one for each group of settings. You can



19

also create a GPO for using Trusted Platform Module (TPM) only and another for using TPM and a PIN. MBAM Group Policy settings are in the Group Policy Management Editor under Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management). Table 4 lists the categories of MBAM Group Policy settings and provides a brief description of each. For more information on the MBAM Group Policy settings, see the section, “Planning for MBAM 2.0 Group Policy Requirements,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.

Table 4. MBAM Group Policy setting categories Category

Description

Global

Used to configure global BitLocker settings, such as the drive encryption method and cypher strength and whether a unique organizational identifier will be used. These settings are located in the root of the MBAM Group Policy settings hierarchy.

Client Management

Used to configure the client management aspects of the MBAM client, such as the configuration of the MBAM services that the client uses. These settings are located in the Client Management node.

Fixed Drive

Used to configure the settings that affect encryption of fixed drives, such as denying Write access to fixed drives not protected by BitLocker or choosing how BitLocker-protected fixed drives can be recovered. These settings are located in the Fixed Drive node.

Operating System Drive

Used to configure the settings that affect the operating system drive, such as requiring users to encrypt the operating system drive and the methods for recovering BitLocker-protected operating system drives. These settings are located in the Client Management node.



Category

Description

Removable Drive

Used to configure the settings that affect encryption of fixed drives, such as controlling the use of BitLocker on removable drives or choosing how BitLocker-protected removable drives can be recovered. These settings are located in the Removable Drive node.

20

Configure the MBAM Group Policy settings in the GPOs that you have created (based on the information in Table 4), and then link those GPOs to the OUs that contain the devices you will use MBAM to manage. For more information on the MBAM Group Policy settings and the suggested configuration, see the section, “Planning for MBAM 2.0 Group Policy Requirements,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.

Manage MBAM user exemptions In some instances, users may need to be exempt from protecting their drives protected by BitLocker. For example, users may bring their own devices as a part of a bring-your-own-device initiative and do not want their devices to be BitLocker protected. You can exempt users from MBAM enforcement of automatic BitLocker protection by using the Allow the user to be exempted from BitLocker encryption Group Policy setting, which is under User Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management). To exempt users from MBAM enforcement of automatic BitLocker protection, perform the following steps: 1. Create a GPO, such as MBAM User Exemption Policy, that enables the Allow the user to be exempted from BitLocker encryption Group Policy setting. 2. Create a domain security group, such as MBAM Exempt Users, that contains the user accounts of the users to be exempted. 3. Configure the MBAM User Exemption Policy GPO (created in step 1) to apply only to the MBAM Exempt Users domain security group (created in step 2) by using GPO security filtering, as shown in Figure 4.



21

Figure 4. Configuring GPO security filtering For more information on how to perform GPO security filtering for a specific group, see Using Security Filtering to Apply GPOs to Selected Groups. 4. Link the MBAM User Exemption Policy GPO (created in step 1) to the OUs in which the devices to be managed reside. For more information on how to manage MBAM user exemptions, see the section, “How to Manage User BitLocker Encryption Exemptions,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.


| DEPLOYING THE MBAM CLIENT 22

Deploying the MBAM client You must install the MBAM client on each BitLocker-enabled device you will use MBAM to manage. The client is available in 64-bit and 32-bit versions that are stored in the \MBAM\Installers\2.0\x64 and \MBAM\Installers\2.0\x86 folders, respectively, on the MBAM source media. Select the appropriate version based on the target operating system. The MBAM client installation files include: 

MbamClientSetup.exe. This Setup program contains the MBAM client and is appropriate for methods that require an .exe file, such as scripted installation. This program passes any installer properties you use on its command line to the Windows Installer package file.



MBAMClient.msi. This Windows Installer package contains the MBAM client and is appropriate for deployment methods that require an .msi file, such as Group Policy software deployment.

You can easily deploy the MBAM client by using almost any software or operating system deployment tool. Table 5 lists the deployment methods that this guide describes and offers suggestions for when to use each. You can also use a combination of these methods. For example, you could use MDT to deploy the MBAM client during operating system deployment and use Group Policy to deploy the MBAM client to existing computers.

To drive consistency across MBAM client installations, use highly automated techniques to perform MBAM client deployments. For example, if you choose command-line deployment, ensure that you automate installation by using scripts (e.g., Windows PowerShell or batch scripts).



Table 5. Choosing a deployment method Method

Use this method when

Group Policy



You do not use an electronic software deployment (ESD) solution, such as System Center Configuration Manager or MDT



You already deploy software by using Group Policy



You want to deploy the MBAM client to existing computers



You want to deploy the MBAM client after operating system images are deployed



Computers have high-speed, persistent connections to the network share containing the installation files



You use MDT for operating system deployment



You want to deploy the MBAM client during operating system deployment



You already use System Center Configuration Manager for application and operating system deployment



You want to use one tool to deploy the MBAM client to existing computers or during operating system deployment



Computers have high-speed, persistent connections to the distribution points in which the MBAM client installation files reside

MDT 2012

System Center Configuration Manager



Method

Use this method when

Scripted Installation



You want to script installation as part of operating system installation, and you are not using MDT or System Center Configuration Manager



You want to deploy the MBAM client by using a nonMicrosoft ESD system



Computers might not have high-speed, persistent connections to the enterprise network, and installation from local media might be required

BitLocker partition configuration requirements BitLocker requires that the partitions on the targeted devices be configured properly to support BitLocker. Ensure that the targeted devices have the correct partition configuration to support BitLocker prior to deploying the MBAM client. BitLocker requires the following partitions: 

System partition. This unencrypted partition is used to start the target device. The system partition must have a minimum of 100 MB of space, but larger partitions are recommended. If the system partition is 300 MB or larger, the Windows Recovery Environment is automatically copied to the partition when BitLocker is enabled. By default, MDT automatically creates a 512-MB system partition.



Windows partition. This encrypted partition contains the Windows operating system, applications, and user data. It must meet the minimum required available disk space for the desired operating system.



In addition to the BitLocker partition requirements, the device may have requirements such as those for Unified Extensible Firmware Interface (UEFI). For more information on the recommended partition configuration for BIOS and UEFI devices, see “5.1 Create a DiskPart script” in Basic Windows Deployment Step-by-Step Guide.

For new device deployments or when you are replacing an existing device with a new device, the operating system deployment process automatically creates the appropriate partitions. This is true if you are performing the deployment by using the operating system deployment media or by using automated processes such as MDT or System Center 2012 Configuration Manager. However, in refresh device deployment scenarios, the existing device may have a partition configuration that is inappropriate for BitLocker—for example, refreshing the Windows XP operating system on an existing device with Windows 8. In these scenarios, you may need to repartition the drive to support BitLocker before performing operating system deployment and deploying the MBAM client. Ensure that you create the partitions based on the recommendations in the “5.1 Create a DiskPart script” in Basic Windows Deployment Step-byStep Guide. For more information about how MDT creates disk partitions, see the section, “Review the Default Partition Configuration Created by MDT,” in the MDT document Using the Microsoft Deployment Toolkit. Repartitioning of targeted devices in refresh device deployment scenarios is discussed in the sections for each MBAM client deployment method.

TPM and MBAM client deployment The TPM is a microchip that stores the private portion of security keys that are kept separate from the memory that the operating system controls. BitLocker uses these keys to encrypt data. BitLocker and MBAM have the following dependencies on the TPM: 

The TPM must be physically enabled. The TPM must be physically enabled on the targeted device before BitLocker and MBAM can use it. Enabling the TPM by using the BIOS or UEFI on the device or by using scripts to automate the process.





Have MBAM take ownership of the TPM. Taking ownership of the TPM allows MBAM to provide users with a file they can use to reset the TPM on their device. However, it is not required that MBAM own the TPM. Windows can automatically provision and take ownership of the TPM, which allows the TPM management within Windows. If Windows owns the TPM, MBAM will be unable to help users reset the TPM on their device.

Enable the TPM BitLocker requires that the TPM be physically enabled on the device prior to protecting any fixed or removable drives on the managed device. In some cases, the TPM can be disabled in the BIOS or UEFI, which will prevent BitLocker and MBAM from accessing its functionality. The software and process for enabling TPM at the hardware level is unique for each device hardware manufacturer and sometimes within models. For fully automated deployment, such as MDT or System Center Configuration Manager, ensure that the TPM for the device is physically enabled within the BIOS or UEFI prior to image deployment.

In addition, enabling the TPM may require that the administrator password for the BIOS or UEFI be configured. Some hardware vendor tools allow you to temporarily set the administrator password, enable the TPM, and then remove the password. Please consult the documentation from the hardware vendor specific to the BIOS or UEFI for the device.

Most hardware vendors provide software that allows you to enable the TPM from the command line. For information about the software for enabling a TPM from a command line, contact each specific hardware vendor. For information on how to run the software to enable the TPM from a command line for each deployment method, see the step for enabling the TPM on targeted devices in the following sections: 

Group Policy software installation



LTI in MDT 2012



ZTI and UDI in MDT 2012



System Center 2012 Configuration Manager





Scripted installation

Set the ownership of the TPM The TPM can have only one owner. Configure TPM ownership based on the operating system on the target device. Table 6 lists the operating systems and the recommendation for configuring TPM ownership.

Table 6. Operating systems and ownership of the TPM Operating system

Ownership

Windows 8

Use only one of the following :

Windows 7



MBAM owns the TPM. If MBAM has ownership, then MBAM can be used to help reset the TPM.



Windows 8 owns the TPM. If Windows 8 has ownership, then the user can use Windows 8 to help reset the TPM.

MBAM owns the TPM, which allows MBAM can be used to help reset the TPM.

TPM and BitLocker pre-provisioning BitLocker pre-provisioning enables BitLocker encryption for a drive volume prior to Windows operating system deployment. BitLocker pre-provisioning occurs while in the Windows Preinstallation Environment (Windows PE) version 4.0 by using the Manage-bde.exe BitLocker command-line utility. Automated operating system deployment methods, such as MDT and System Center 2012 Configuration Manager with SP1 automatically preform BitLocker preprovisioning for Windows 8 and Windows 7 if the TPM is enabled. To perform BitLocker pre-provisioning, the TPM must be enabled by one of the following methods:





Manually configuring the BIOS or UEFI. This method requires that the user performing the deployment manually enable the TPM in the BIOS or UEFI. After the TPM is manually enabled, the operating system deployment can go on as normal.



Automatically by running a script or other software. Most device vendors have scripts or software that allows you to enable the TPM automatically. However, these scripts or other software may need to run in a full Windows operating system (not in Windows PE). In instances where the script or software is unable to run in Windows PE and you require fully automated deployment, you cannot use BitLocker pre-provisioning.

If you cannot use BitLocker pre-provisioning, you must enable BitLocker after the operating system is deployed and the full operating system is running. The length of time to encrypt after the operating system is deployed depends on the operating system, as shown in Table 7.

Table 7. Operating system and encryption behavior after the operating system is deployed Operating system

Encryption behavior

Windows 8

Can use the Used Disk Space Only feature to reduce the amount of time needed to encrypt the drive. This is the default behavior for MDT task sequences.

Windows 7

Can only encrypt the entire volume, which will take longer than the Used Disk Space Only feature in Windows 8.

Configure the MBAM client to immediately initiate encryption during task sequences If you deploy the MBAM client during operating system deployment, that client does not immediately initiate encryption by default, because the MBAM client is typically configured by Group Policy settings. That configuration occurs after the operating system is deployed and the user starts it for the first time. As a result, the targeted device may be in an unprotected state the first time the user starts the device, and MBAM will not have saved the recovery keys and other secrets.



To ensure that devices are in a fully protected state and that MBAM has saved the recovery keys, configure the MBAM client to immediately initiate encryption during the operating system task sequence.

Configuring the MBAM client to immediately initiate encryption during a task sequence is applicable only when the MBAM client is being deployed as part of operating system deployment. However, you could also perform these steps manually on an existing device and immediately initiate encryption and the saving of recovery keys in MBAM.

Step 1: Create the registry import files You must create the following registry import files: 

AddMBAMRegEntries.reg. This file adds the necessary registry entries to configure the MBAM client to immediately initiate BitLocker encryption and store the recovery keys in MBAM.



RemoveMBAMRegEntries.reg. This file removes the registry entries that the AddMBAMRegEntries.reg file adds. After this file runs, the registry will be ready for normal configuration by using the MBAM Group Policy settings.

To create a registry import file that configures the MBAM client to immediately initiate encryption during a task sequence 1. Install the MBAM client on a device that has not yet been encrypted. 2. Stop the MBAM client by typing the following command at an elevated command prompt: NET STOP MBAMAGENT

3. Import the registry template file MBAMDeploymentKeyTemplate.reg located in \Program Files\Microsoft\MDOP.



4. Start RegEdit.exe, and make the following registry changes in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM: a. Modify the KeyRecoveryServiceEndPoint registry setting to use the URL for your MBAM server. b. Add a new key NoStartupDelay as a DWORD with a value of 1. 5. Export the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM registry subkey to the AddMBAMRegEntries.reg file by using RegEdit.exe. To create a registry import file that removes the MBAM registry entries 1. Copy the AddMBAMRegEntries.reg file to the RemoveMBAMRegEntries.reg file. 2. In Microsoft Notepad, make the following changes to the RemoveMBAMRegEntries.reg file, and then save the file: a. Leave the "Installed"=dword:00000001 line untouched. b. For all other registry keys in the file, replace everything after the equal sign (+) with a minus sign (−). For example, change “NoStartupDelay”=dword:00000001 to “NoStartupDelay”=-. For more information on how to create registry files, see How to add, modify, or delete registry subkeys and values by using a registration entries (.reg) file. Step 2: Create a script to automate the MBAM client immediately initiating encryption Create a script to automate the MBAM client immediately initiating encryption during a task sequence. You can create such a script by using either Windows PowerShell or Microsoft Visual Basic Scripting Edition (VBScript). You run this script in the task sequence for your automated deployments in MDT or System Center Configuration Manager. The high-level steps that the script must perform are as follows: 1. Determine whether the MBAM client has been installed. 2. Stop the MBAM client service. 3. Import the AddMBAMRegEntries.reg file to the registry.



4. Start the MBAM client service. 5. Verify that encryption has started on the desired disk volume. 6. Import the RemoveMBAMRegEntries.reg file. 7. Restart the MBAM client service. For an example of how to implement a script that performs these functions, see the section, “Automating the process with a script,” in the TechNet article, Using MBAM to start BitLocker Encryption in a Task Sequence. Step 3: Add a task sequence step to run the script You must add a task sequence step to run the script immediately after the task sequence step to install the MBAM client. The type of task sequence step you add is based on how you created the script. For example, if you created the script by using Windows PowerShell, then add a Run PowerShell Script task sequence step. If you used VBScript, then add a Run Command Line task sequence step.

Group Policy software installation You can install a 64-bit or 32-bit version of MBAMClient.msi by using Group Policy software installation. (You cannot run MbamClientSetup.exe with Group Policy.) You must create a network share for the MBAM client installation files, and then create a GPO that installs the appropriate Windows Installer package file on each computer. To target MBAM client installation, link the GPO to specific OUs, use security filtering, or use Windows Management Instrumentation (WMI) filtering. For example, you can filter the GPO to target computers in a particular security group or computers that are running Windows 8 or Windows 7.

You cannot use command-line options when you use Group Policy to deploy the MBAM client. In this scenario, the easiest way to configure the MBAM client is to use the MBAM Client Policy administrative template. Alternatively, you can create a transform for the MBAM client Windows Installer package files and apply that transform when you create the GPO.



Step 1: Ensure that partitions on targeted devices are configured for BitLocker Before you can enable encryption with MBAM, you must ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. Group Policy software installation–based deployments are always performed on devices where the operating system has been deployed. Ensure that the partitions on the targeted devices are configured properly for BitLocker deployment, as described in the section, BitLocker partition configuration requirements in this guide.

If the partitions on a targeted device are not configured properly for BitLocker deployment, consider refreshing the operating system on the device to create the proper partitions. For more information, see the section Lite Touch Installation in MDT 2012 or Zero Touch Installation and User-Driven Installation in MDT 2012.

Step 2: Enable the TPM on targeted devices Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices. The process for enabling the TPM is different for each device manufacturer and sometimes even across models within a device manufacturer. The high-level process for automatically enabling the TPM is as follows: 1. Package the vendor-specific software for enabling TPM as an .msi package. In some instances, the vendor-specific software may be scripts and cannot be easily packaged as an .msi file. In these instances, use one of the other methods for enabling TPM. 2. Create a network shared folder that contains the .msi package created in the previous step. 3. Create a GPO to install the .msi package (such as Enable TPM Policy). 4. Configure the existing MBAM client installation GPO (MBAM Client Installation) to use a WMI query to determine whether the TPM is enabled on targeted devices. 5. Target the Enable TPM Policy GPO for different processor versions (64 bit or 32 bit), if applicable. 6. Link the Enable TPM Policy GPO to the appropriate OUs.



Step 3: Share the installation files You must create a network share that contains the MBAM client Setup files. This network share must be accessible to all computers on which you want to install the MBAM client. Grant Read access to the Domain Computers group or to the Authenticated Users group. To create and share a folder for the MBAM client installation files 1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and MBAM Client Setup is the name of the folder you are creating to contain the MBAM client installation files. 2. Configure NTFS file system permissions for the folder MBAM_Client_Setup, as Table 8 describes. To configure NTFS file system permissions, right-click the folder, click Properties, and then click Advanced on the Security tab.

Table 8. NTFS file system permissions for the MBAM client setup folder Account

Permissions

Applies to

Administrators

Full control

This folder, subfolders, and files

Authenticated Users

Read and Execute


3. Share the folder MBAM_Client_Setup by using the permissions that Table 9 describes. To configure share permissions, right-click the folder, click Properties, and then click the Sharing tab.

Table 9. Share permissions for the MBAM client setup folder Account

Permissions

Authenticated Users

Read



4. Copy the \MBAM\Installers\2.0 folder structure from the MBAM distribution media to \\SERVER\MBAM_Client_Setup. The \MBAM\Installers\2.0 folder structure includes the x64 and x86 folders, which contain the 64-bit and 32-bit versions of the MBAM client, respectively. Copy the entire \MBAM\Installers\2.0 folder structure so that both versions are available for deployment. Step 4: Create a GPO to install the MBAM client You create GPOs by using the Group Policy Management Console (GPMC) on a server or on a client running the Remote Server Administration Tools. You can create a GPO that installs only the MBAM client, or you can configure the MBAM client by using the same GPO to keep all of your MBAM policies in one location. The steps in this section install both the x64 and x86 agents by using a single GPO, allowing Group Policy to determine the correct version to install. To create and edit a GPO to deploy the x64 and x86 MBAM client 1. In the GPMC, create a new GPO for MBAM client installation (e.g., MBAM Client Installation): a. Right-click Group Policy Objects under Forest\Domains\Domain, and then click New. b. In the Name box, type MBAM Client Installation, and then click OK. 2. In the navigation pane, right-click MBAM Client Installation, and then click Edit. 3. In the Group Policy Management Editor, right-click Software Installation in Computer Configuration\Policies\Software Settings, point to New, and then click Package. 4. In File name, type the Universal Naming Convention (UNC) path and name of the 64-bit version of MBAMClient.msi in the x64 folder, and then click Open. Make sure you open the file from the network share you created earlier and not from a local path. 5. In the Deploy Software dialog box, click Advanced, and then click OK. 6. In the Name box on the General tab of the MDOP MBAM Properties dialog box, append x64 to the end of the name, and then click OK.



This will help you to distinguish between the x86 and x64 versions later. 7. In the Group Policy Management Editor, right-click Software Installation in Computer Configuration\Policies\Software Settings, point to New, and then click Package. 8. In File name, type the UNC path and name of the 32-bit version of MBAMClient.msi in the x86 folder, and then click Open. Make sure you open the file from the network share you created earlier and not from a local path. 9. In the Deploy Software dialog box, click Advanced, and then click OK. 10. In the MDOP MBAM Properties dialog box, complete the following steps, and then click OK: a. On the General tab, in the Name box, append x86 to the end of the name. b. On the Deployment tab, click Advanced; then, clear the Make this 32-bit X86 application available to Win64 machines check box and click OK. Clearing this check box prevents Group Policy from installing the 32-bit MBAM client on 64-bit operating systems, ensuring that the correct version of the MBAM client is installed for each system type. 11. Close the Group Policy Management Editor. Step 5: Link the GPO to OUs You must link the MBAM Client Installation GPO to OUs to install the agent on the computers in those OUs. You can link the GPO to individual OUs. If the computers you want to target for installation are in multiple OUs, you can link the GPO to the domain and use security or WMI filtering to limit installation to specific computers, types of computers, or Windows versions, which is discussed in the section, “Step 6: Optionally target the GPO.” To link the GPO to an OU 1. In the GPMC, right-click the OU to which you want to link the MBAM Client Installation GPO, and then click Link an Existing GPO. 2. In the Group Policy objects list in the Select GPO dialog box, click MBAM Client Installation, and then click OK.



Step 6: Optionally target the GPO When you link the MBAM Client Installation GPO to an OU, Group Policy applies the GPO to all computers in that OU, installing the MBAM client on them. In some cases, however, this might not be desirable. You can target MBAM client deployment to specific computers within an OU by using security or WMI filtering. See Table 10 for more information.

Table 10. Filtering the MBAM Client Installation GPO Method

Description

Security filtering

This filtering method allows you to target specific computers based on membership in AD DS security groups. The members of the security group can be computer objects or other security groups containing computer objects. You control the deployment of the MBAM client to specific computers by adding or removing them from the security group. For more information about security filtering, see Filter Using Security Groups.

WMI filtering

This filtering method allows you to target specific computers based on a WMI query. For example, you could use a WMI query to target the operating system version on computers and deploy the MBAM client only if the operating system is Windows 8 or Windows 7. You create a WMI filter separately, and then link the WMI filter to the GPO that you created to deploy the MBAM client. For more information about WMI filtering and how to create a WMI filter, see Work with WMI Filters.

Lite Touch Installation in MDT 2012 You can deploy the MBAM client during operating system deployment by using the Lite Touch Installation (LTI) process in MDT. You do this as part of the LTI process by adding the client installation files as an application, and then adding an Install Application step for the agent to your existing operating system deployment task sequences. By installing the MBAM client as part of the operating system deployment task sequence, MDT installs the client automatically, which ensures that that the encryption is started or completed



before users receive their device and is protected before they start the device for the first time. The MBAM client will be ready for use before users log on to the device for the first time.

Windows 8 includes the BitLocker Used Disk Space Only encryption feature, which encrypts only the disk space currently in use instead of the entire disk volume. This feature dramatically reduces the time required to encrypt a disk volume. By default, MDT automatically performs Used Disk Space Only encryption when enabling BitLocker for Windows 8 deployments to reduce the length of time required to deploy Windows 8.

The following sections describe the steps necessary to complete each task in the Deployment Workbench: 1. Ensure that partitions on targeted devices are configured for BitLocker. 2. Enable the TPM on targeted devices. 3. Add the MBAM client to the Applications node of your deployment share. 4. Configure the MBAM client application to hide it from users in the Deployment Wizard. 5. Add an Install Application step to your existing operating system task sequences. 6. Configure the MDT BitLocker-related configuration settings. 7. Immediately initiate encryption by using the MBAM client during tasks sequences.

For more information about using MDT to install applications during operating system deployment, see the MDT documentation.



Step 1: Ensure that partitions on targeted devices are configured for BitLocker Before you can enable with MBAM, ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. For new devices or for devices that are being replaced, MDT automatically creates the necessary partitions to support BitLocker. When refreshing an existing device, LTI automatically resizes and creates the necessary partitions to support BitLocker, if there is sufficient available disk space. Step 2: Enable the TPM on targeted devices Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices. The scripts or software for enabling the TPM are different for each device manufacturer and sometimes even across models within a device manufacturer. By default, LTI performs BitLocker pre-provisioning for new device, refresh device, and replace device deployment scenarios. BitLocker pre-provisioning occurs while the target device is running Windows PE in the Preinstall phase of the task sequence. If the scripts or software for enabling the TPM can: 

Run in Windows PE, then you can support BitLocker pre-provisioning



Only run in a Windows operating system, then you must either: 

Manually enable the TPM to support BitLocker pre-provisioning



Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but still as a part of the task sequence

For more information on the TPM and BitLocker pre-provisioning, see TPM and BitLocker preprovisioning. To automatically enable the TPM and support BitLocker pre-provisioning by using scripts or software that can run in Windows PE 1. Create a network shared folder that contains the vendor-specific software for enabling the TPM. 2. Create an MDT application that contains the software in the previous step. 3. Install the application by using the Install Application task sequence step. Place the Install Application task sequence step in the Preinstall group immediately before the Enable BitLocker (Offline) task sequence step.



To automatically enable the TPM by using scripts or software that can run only in a Windows operating system (no BitLocker pre-provisioning support) 1. Create a network shared folder that contains the vendor-specific software for enabling the TPM. 2. Create an MDT application that contains the software in the previous step. 3. Install the application by using the Install Application task sequence step. Place the Install Application task sequence step in the State Restore group immediately before the Enable BitLocker task sequence step. For more information on enabling the TPM, see Enable the TPM. Step 3: Add the MBAM client application When you add an application to your MDT deployment share, you must specify the command that installs it. Running MbamClientSetup.exe is the simplest way to start MBAM client installation with MDT. You must run the 64-bit or 32-bit version of MbamClientSetup.exe, based on the target operating system version. The command you specify for MBAM client installation must include the /q command-line option to perform an unattended installation. This option runs MbamClientSetup.exe with no user interaction. If you do not include this command-line option, the Setup program stalls the deployment process to wait for user interaction. To add the MBAM client to your deployment share 1. In the Deployment Workbench, click Applications under Deployment Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the name of your deployment share). 2. In the Actions pane, click New Application.



3. Complete each page of the New Application Wizard:

Page

Steps

Application Type

1. Click Application with source files. 2. Click Next. Select the Application without source files or elsewhere on the network check box if you already have the installation files in a network share. For more information, see the section, “Create a New Application That Is Deployed from Another Network Share,” in the MDT documentation.

Details

1. In the Application Name box, type MBAM Client 64-bit. 2. Click Next. The remaining text boxes on this page are optional and informational only. Although they do not affect deployment of the MBAM client, completing the remaining text boxes can prove useful later when you are maintaining the deployment share.

Source

1. In the Source directory box, type the path of the \MBAM\Installers\2.0\x64 folder that contains MbamClientSetup.exe. The Source directory box supports autocomplete, but you can click Browse to locate the files. 2. Click Next.



Page

Steps

Destination

1. In the Specify the name of the directory that should be created box, optionally edit the name of the folder that the New Application Wizard will create in the deployment share. The wizard suggests a name based on the publisher, name, and version that you provided on the Details page. 2. Click Next.

Command Details

1. In the Command line box, type the command you want to run to install the MBAM client—for example: MbamClientSetup.exe.exe /q 2. Click Next.

Summary

1. In the Details area, review the information that the Add New Application Wizard collected. 2. Click Next.

Progress

1. Monitor the wizard’s progress as it adds the application to your deployment share.

Confirmation

1. Review the results, and then click Finish.

If you also need to deploy the 32-bit version of MbamClientSetup.exe, repeat the New Application Wizard, changing the following: 

In step 1, in Application Name, type MBAM Client 32-bit.



In step 3, browse to the \MBAM\Installers\2.0\x86 folder.



Step 4: Configure the application After adding the application to your MDT deployment share, configure it to hide the application in the Deployment Wizard from users so they cannot prevent installation during deployment by selecting the Hide this application in the Deployment Wizard check box. Hiding the application prevents the user from selecting the application, which could create errors in the deployment process, because the application would try to install twice and one installation would return a failure code. To customize the MBAM client in your deployment share 1. In the Applications node of the deployment share, right-click the MBAM client application that you previously added, and then click Properties. 2. On the General tab of the application’s Properties dialog box, select the Hide this application in the Deployment Wizard check box. 3. Click OK. Step 5: Edit task sequences Install the MBAM client application during operating system deployment by adding it to task sequences. By adding the MBAM client to your existing task sequences, you can install the agent automatically, with no interaction from the user. This method helps to ensure that the MBAM client is available immediately, before users log on to the computer. To install the MBAM client in an LTI task sequence 1. In the Deployment Workbench, click Task Sequences under Deployment Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the name of your deployment share). 2. In the results pane, right-click the task sequence to which you want to add the MBAM client, and then click Properties. 3. On the Task Sequence tab of the task sequence’s Properties dialog box, click the Install Applications task sequence step. This step is in the State Restore group. The task sequence editor adds the new task sequence step immediately after this step. 4. From the Add menu, click General, and then click Install Application.



5. Click the new Install Application task sequence step that you just added, then perform the following steps: a. In the Name box, type Install the MBAM Client. b. Click Install a single application, click Browse, click the MBAM client application in the Select An Item dialog box, and then click OK. c. Optionally, on the Options tab, select the Continue on error check box. Select this check box only if you want the task sequence to continue running if the MBAM client fails to install during operating system deployment. 

Click OK to close the task sequence’s Properties dialog box.

Step 6: Configure MDT BitLocker-related settings You can configure BitLocker-related settings by using one the following methods in LTI: 

MDT properties specified in the CustomSettings.ini file or the MDT database (MDT DB) The benefit of this method is that you can prevent configuration errors by making the configuration settings in advance. This allows you to bypass the BitLocker page in the Deployment Wizard. The following are the MDT properties that you must set to fully automate BitLocker configuration for LTI deployments and bypass the BitLocker page: 

BDEDriveLetter



BDEDriveSize



BDEInstall



BDEInstallSuppress



BDERecoveryKey



TPMOwnerPassword



OSDBitLockerStartupKeyDrive



OSDBitLockerWaitForEncryption

For more information these MDT properties, see the corresponding sections in the MDT document Toolkit Reference.





The BitLocker page in the Deployment Wizard (shown in Figure 5) The benefit of this method is that you can provide the BitLocker configuration settings at the time of deployment. This allows the user performing the deployment to make BitLocker configuration changes as required on a device-by-device basis at the time of deployment.

Figure 5. The BitLocker page in the Deployment Wizard Step 7: Add a task sequence step to immediately initiate encryption by using the MBAM client By default, the MBAM client initiates encryption and saves the recovery keys when configured by the MBAM Group Policy settings. However, this can leave the device in an unprotected state for a period of time.



You can configure the MBAM client to immediately initiate encryption in a task sequence step. For more information on how to do this, see Configure the MBAM client to immediately initiate encryption during task sequence.

Zero Touch Installation and User-Driven Installation in MDT 2012 You can deploy the MBAM client by using the application model in System Center 2012 Configuration Manager. You create applications in the Applications node of the Configuration Manager console. By using System Center 2012 Configuration Manager, you can use a single deployment tool to install the MBAM client on existing computers as well as during operating system deployment: 

Deployment to existing computers. This method deploys the MBAM client to targeted computers that already exist or deploys the MBAM client immediately after operating system deployment is complete. The advantage of this method is that it covers both scenarios (existing computers and new computers). This process will be discussed in the section, System Center 2012 Configuration Manager Application Model.



Installation during operating system deployment. This method installs the MBAM client during operating system deployment so that the agent is immediately available. The benefit of this method is that the encryption can be started or completed before users receive their device, and the device is protected before the user starts it for the first time. After you create the application in the Configuration Manager console, simply add an Install Application step to the operating system deployment task sequence. This process is discussed in this section.

You can deploy the MBAM client during operating system deployment by using the Zero Touch Installation (ZTI) and User-Driven Installation (UDI) processes in MDT. You do this by adding the client installation files as an application, and then adding an Install Application step for the agent to your existing operating system deployment task sequences. By installing the MBAM client as part of the operating system deployment task sequence, ZTI and UDI install the client automatically, which ensures that that the encryption is started or completed before users receive their device and the device is protected before users starts it for the first time.. The MBAM client will be ready for use before users log on to the device for the first time.



Windows 8 includes the BitLocker Used Disk Space Only encryption feature, which encrypts only the disk space currently in use instead of the entire disk volume. This feature dramatically reduces the time required to encrypt a disk volume. By default, MDT automatically performs Used Disk Space Only encryption when enabling BitLocker for Windows 8 deployments to reduce the length of time required to deploy Windows 8.

The following tasks describe the steps necessary to complete each task: 1. Ensure that partitions on targeted devices are configured for BitLocker. 2. Enable the TPM on targeted devices. 3. Create and share a content folder for the MBAM client installation files. 4. Create a System Center 2012 Configuration Manager application for the MBAM client installation. 5. Distribute the System Center 2012 Configuration Manager application to the distribution points. 6. Deploy the System Center 2012 Configuration Manager application to the targeted computers. 7. Add an Install Application step to your existing operating system task sequences. 8. Configure the MDT BitLocker-related configuration settings. 9. Immediately initiate encryption by using the MBAM client during tasks sequences.



For more information about using MDT to install applications during operating system deployment, see the MDT documentation.

Step 1: Ensure that partitions on targeted devices are configured for BitLocker Before you can use MBAM, you need to ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. For new devices or devices that are being replaced, MDT automatically creates the necessary partitions to support BitLocker. When refreshing an existing device, MDT automatically resizes and creates the necessary partitions to support BitLocker (if there is sufficient available disk space) after the operating system has been deployed in the State Restore group.

If you want ZTI and UDI to automatically create the appropriate partitions for the refresh device deployment scenario in ZTI and UDI, perform a replace device deployment scenario, and treat the existing device as the original and replacement device. In this way, you back up the user state from the device, wipe the device, deploy the operating system, and then restore the user state to the device. Ensure that you store the user state in a network shared folder or in local storage on a disk other than where the operating system will be deployed.

Step 2: Enable the TPM on targeted devices Before you deploy the MBAM client to the targeted devices, enable the TPM on the devices. The scripts or software for enabling the TPM are different for each device manufacturer and sometimes even different across models within a device manufacturer. By default, ZTI and UDI task sequences perform BitLocker pre-provisioning for new device and replace device deployment scenarios. BitLocker pre-provisioning occurs while the target device is running Windows PE in the Preinstall phase of the task sequence. If the scripts or software for enabling the TPM can:





Run in Windows PE, then you can support BitLocker pre-provisioning



Run only in a Windows operating system, you must either: 

Manually enable the TPM to support BitLocker pre-provisioning



Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but still as a part of the task sequence

If you want to use BitLocker pre-provisioning for the refresh device deployment scenario for ZTI and UDI, perform a replace device deployment scenario, and treat the existing device as the original and replacement device. In this way, you back up the user state from the device, wipe the device, deploy the operating system, and then restore the user state to the device. Ensure that you store the user state in a network shared folder or in local storage on a disk other than where the operating system will be deployed.

For more information on the TPM and BitLocker pre-provisioning, see TPM and BitLocker preprovisioning. To automatically enable the TPM and support BitLocker pre-provisioning by using scripts or software that can run in Windows PE 1. Create a network shared folder that contains the vendor-specific software for enabling the TPM. 2. Create an MDT application that contains the software in the previous step. 3. Install the application by using the Install Application task sequence step. Place the Install Application task sequence step in the Preinstall group immediately before the Pre-provision BitLocker task sequence step. To automatically enable the TPM by using scripts or software that can run only in a Windows operating system (no BitLocker pre-provisioning support) 1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.



2. Create an MDT Application that contains the software in the previous step. 3. Install the application created in the previous step by using the Install Application task sequence step. Place the Install Application task sequence step in the State Restore group immediately before the Enable BitLocker task sequence step. Step 3: Share the installation content When you create a System Center 2012 Configuration Manager application, you must specify a source for the application content. The source must be a network share that is accessible to System Center 2012 Configuration Manager, because System Center 2012 Configuration Manager uses the contents of the source folder to create the application. To create and share a folder for the MBAM client installation content 1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and MBAM_Client_Setup is the name of the folder you are creating to contain the MBAM client installation files. 2. Configure NTFS file system permissions for the folder MBAM_Client_ Setup, as Table 13 describes. To configure NTFS file system permissions, right-click the folder, click Properties, and then click Advanced on the Security tab.


Permissions

Applies to

Administrators

Full control


Site_Server_Account

Read and Execute






Permissions

Administrators

Full control

Site_Server_Account

Full control

4. Copy the \MBAM\Installers\2.0folder structure from the MBAM distribution media to \\SERVER\MBAM Client Setup. The \MBAM\Installers\2.0folder structure includes the x64 and x86 folders, which contain the 64-bit and 32-bit versions of the MBAM client, respectively. Copy the entire \MBAM\Installers\2.0\folder structure so that both versions are available for deployment. Step 4: Create the MBAM client application When you create a System Center 2012 Configuration Manager application, you must specify the command that installs it. Although you could run MbamClientSetup.exe to install the MBAM client, MBAMClient.msi requires less effort because of automatic detection of product codes and other application settings. Creating applications in System Center 2012 Configuration Manager is based on MSI files, which: 

Allow System Center 2012 Configuration Manager to detect whether the application is already installed



Use a well-known System Center 2012 Configuration Manager deployment type



Simplify the ongoing management of the MBAM client by simplifying updates

To create the MBAM client application in System Center 2012 Configuration Manager 1. In the Configuration Manager console, click the Software Library workspace.



2. In the Software Library workspace, click Applications in Overview\Application Management. 3. In the Create group on the Ribbon, click Create Application. 4. Complete each page of the Create Application Wizard:

Page

Steps

General

1. Click Manually specify the application information. 2. Click Next.

General: General Information

1. In the Name box, type MBAM Client. 2. Select the Allow this application to be installed from the Install Application task sequence action without being deployed check box. Selecting this check box allows you to use task sequence variables to install the MBAM client. 3. Click Next. The remaining text boxes on this page are optional and informational. Although they do not affect the deployment of the MBAM client, completing them can prove useful later when you are maintaining the deployment share.

General: Application Catalog

1. Click Next.

General:

1. Click Add to add a deployment type for the 64-bit version of

The text boxes on this page are optional and prompt for information that you want to display in the application catalog. However, this deployment guide recommends that you hide the MBAM client from the application catalog.


Page Deployment Types


Steps the MBAM client (MBAMClient.msi in the \MBAM\Installers\2.0\x64 folder). 2. On the General page of the Create Deployment Type Wizard, click Browse, open MBAMClient.msi from the location in which you shared the installation sources (e.g., \\SERVER\MBAM_Client_Setup), and then click Next. 3. On the Import Information page of the Create Deployment Type Wizard, click Next. 4. On the General Information page of the Create Deployment Type Wizard, perform the following steps: a. In the Name box, append x64 to the end of the name for easier identification later. b. In the Installation program box, add /q to the end of the command. c. Click Next. 5. On the Requirements page of the Create Deployment Type Wizard, perform the following steps: a. Click Add. b. Click Operating system in the Condition list. c. In the operating system list, select All Windows 7 (64-bit) and All Windows 8 (64-bit). (Select the 64bit operating systems that you want to support.) d. Click OK. e. Click Next. 6. On the Dependencies page of the Create Deployment Type Wizard, click Next. 7. On the Summary page of the Create Deployment Type


Page


Steps Wizard, review the deployment type details, and then click Next. 8. On the Completion page of the Create Deployment Type Wizard, click Close. 9. Repeat steps 1 through 8 on this page for the 32-bit version of the MBAM client (MBAMClient.msi in the \MBAM\Installers\2.0\x86), and then click Next.

Summary

1. In the Details area, review the information that the Create Application Wizard collected, and then click Next.

Progress

1. Monitor the progress of the Create Application Wizard while it creates the application.

Completion

1. Verify that the Create Application Wizard finished successfully, and then click Close.

Step 5: Distribute the MBAM client application After creating the MBAM client application in System Center 2012 Configuration Manager, you must distribute the application content to your distribution points. Targeted computers will install the MBAM client from the distribution points. You use the Distribute Content Wizard in the Configuration Manager console to distribute the MBAM client application. To distribute the MBAM client System Center 2012 Configuration Manager application 1. In the results pane, click MBAM Client. 2. In the Deployment group on the Ribbon, click Distribute Content. 3. Complete each page of the Distribute Content Wizard:



Page

Steps

General

1. Click Next.

General: Content

1. Click Next.

General: Content Destination

1. Click Add, and then click Distribution Point. 2. In the Add Distribution Points dialog box, select the distribution points to which you want to distribute the MBAM client installation content, and then click OK. 3. Click Next.

Summary

1. In the Details area, review the information that the Distribute Content Wizard collected, and then click Next.

Progress

1. Monitor the progress of the Distribute Content Wizard while it distributes the MBAM client installation content.

Completion

1. Verify that the Distribute Content Wizard finished successfully, and then click Close.

After completing the Distribute Content Wizard, verify successful distribution of the installation content before continuing to deploy the MBAM client application. To do so, click Refresh in the Application area of the Ribbon. Click MBAM Client in the results pane to see the distribution status on the Summary tab at the bottom. When the content status shows that content distribution is successful, you can deploy the MBAM client application. Step 6: Deploy the MBAM client application You can deploy the MBAM client application to users or devices. Because the agent is computercentric, Microsoft recommends that you deploy it to computer collections—not user collections.



You use the Deploy Software Wizard in the Configuration Manager console to deploy the MBAM client application after you have successfully distributed it. To deploy the MBAM client System Center 2012 Configuration Manager application 1. In the results pane, click MBAM Client. 2. In the Deployment group on the Ribbon, click Deploy. 3. Complete each page of the Deploy Software Wizard:

Page

Steps

General

1. Click Browse next to the Collection box. 2. In the Select Collection dialog box, click Device Collections on the left side; on the right side, click a device collection to which you want to deploy the MBAM client, and then click OK. 3. Click Next. You can choose one of the built-in collections or your own collection. For more information about creating collections in System Center 2012 Configuration Manager, see the TechNet article, How to Create Collections in Configuration Manager.

Content

1. Click Next.

Deployment Settings

1. In the Purpose list, click Required. 2. Click Next. Selecting Required in the Purpose list forces installation of the MBAM client application on targeted computers. System Center 2012 Configuration Manager also reinstalls the agent if users remove it.



Page

Steps

Scheduling

1. Click Next.

User Experience

1. In the User notifications list, click Hide in Software Center and all notifications. 2. Click Next. Selecting Hide in Software Center and all notifications prevents System Center 2012 Configuration Manager from notifying users about the installation of the MBAM client. This recommended setting prevents any user interaction or interference with deployment.

Alerts

1. Click Next.

Summary

1. In the Details area, review the information that the Deploy Software Wizard collected, and then click Next.

Progress

1. Monitor the progress of the Deploy Software Wizard while it deploys the MBAM client application.

Completion

1. Verify that the Deploy Software Wizard finished successfully, and then click Close.

Step 7: Edit task sequences Install the MBAM client application during operating system deployment by adding the MBAM client application to existing task sequences. In this way, you can install the client automatically, with no interaction or interference from users. Doing so helps to ensure that the MBAM client is available immediately, before users log on to the computer.



To install the MBAM client in a System Center 2012 Configuration Manager task sequence 1. In the Configuration Manager console, click the Software Library workspace. 2. In the Software Library workspace, click Task Sequences in Overview\Operating Systems. 3. In the results pane, right-click the task sequence to which you want to add the MBAM client, and then click Edit. 4. Click the Install Applications group under the State Restore group. The task sequence editor adds the new step in this group. 5. From the Add menu, click General, and then click Install Application. 6. Click the new Install Application task sequence step that you just added, then perform the following steps: a. In the Name box, type Install the MBAM Client. b. Click New (the button that looks like a star), click the MBAM client application in the Select The Application To Install dialog box, and then click OK. c. Optionally, on the Options tab, select the Continue on error check box. Select this check only if you want the task sequence to continue running if the MBAM Client fails to install during operating system deployment. 7. Click OK to close the Task Sequence Editor dialog box. Step 8: Configure MDT BitLocker-related settings You can configure BitLocker-related settings by using one the following methods in MDT: 

MDT properties specified in the CustomSettings.ini file or the MDT DB This method must be used in ZTI deployments. You can use this method for UDI deployments to help prevent configuration errors by making the configuration settings in advance. Doing so allows you to bypass the BitLocker page in the UDI Wizard. The following are the MDT properties that you must set to fully automate BitLocker configuration for ZTI deployments or bypass the BitLocker page in the UDI Wizard for UDI deployments: 

BDEDriveLetter




BDEDriveSize



BDEInstall



BDEInstallSuppress



BDERecoveryKey



TPMOwnerPassword



OSDBitLockerStartupKeyDrive



OSDBitLockerWaitForEncryption


For more information on these MDT properties, see the corresponding sections in the MDT document Toolkit Reference. 

BitLocker page in the UDI Wizard (as shown in Figure 6) The benefit of this method is that you can provide the BitLocker configuration settings at the time of deployment. This allows the user performing the deployment to make BitLocker configuration changes as required on a device-by-device basis at the time of deployment.



Figure 6. BitLocker Page in the UDI Wizard Step 9: Add a task sequence step to immediately initiate encryption by using the MBAM client By default, the MBAM client initiates encryption and saves the recovery keys when configured by the MBAM Group Policy settings. However, this process can leave the device in an unprotected state for a period of time. You can configure the MBAM client to immediately initiate encryption in a task sequence step. For more information on how to do this, see Configure the MBAM client to immediately initiate encryption during task sequence.



System Center 2012 Configuration Manager Application Model You can deploy the MBAM client by using the application model in System Center 2012 Configuration Manager. You create applications in the Applications node of the Configuration Manager console. By using System Center 2012 Configuration Manager, you can use a single deployment tool to install the MBAM client on existing computers as well as during operating system deployment: 

Deployment to existing computers. This method deploys the MBAM client to targeted computers that already exist or deploys the MBAM client immediately after operating system deployment is complete. The advantage of this method is that it covers both scenarios (existing computers and new computers). This process is discussed in this section.



Installation during operating system deployment. This method installs the MBAM client during operating system deployment so that the agent is immediately available. The benefit of this method is that the encryption can be started or completed before users receive their device, and the device is protected before the user starts it for the first time. After you create the application in the Configuration Manager console, simply add an Install Application step to the operating system deployment task sequence. This process was discussed in the section, Zero Touch Installation and User-Driven Installation in MDT 2012.

You can also deploy the MBAM client by using the package and program feature in System Center Configuration Manager 2007. For more information on how to deploy software using the package and program feature, see Tasks for Software Distribution.

The following sections describe the steps necessary to complete each task in the Configuration Manager console: 1. Ensure that the partitions on the targeted devices are configured for BitLocker. 2. Enable the TPM on targeted devices (if not already enabled). 3. Create and share a content folder for the MBAM client installation files.



4. Create a System Center 2012 Configuration Manager application for the MBAM client installation. 5. Distribute the System Center 2012 Configuration Manager application to the distribution points. 6. Deploy the System Center 2012 Configuration Manager application to the targeted computers.

You can automate the steps listed above by creating a custom System Center Configuration Manager task sequence. For more information, see the section, “To create a custom task sequence,” in the TechNet article How to Create Task Sequences.

For more information about using System Center 2012 Configuration Manager to deploy applications, see the Microsoft TechNet article, System Center Technical Resources. Step 1: Ensure that partitions on targeted devices are configured for BitLocker Before you can enable with MBAM, ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. Because this section focuses on deploying the MBAM client on existing devices, the deployment is always performed on devices where the operating system has been deployed. Ensure that the partitions on the targeted devices are configured properly for BitLocker deployment as described in the section, BitLocker partition configuration requirements in this guide.




Step 2: Enable the TPM on targeted devices Before you deploy the MBAM client to the targeted devices, enable the TPM on the devices. You can manually enable the TPM on the targeted devices or automate enabling the TPM on the targeted devices by using scripts or software. The scripts or software for enabling the TPM are different for each device manufacturer and sometimes even different across models within a device manufacturer. To automatically enable the TPM by using scripts or software 1. Create a network shared folder that contains the vendor-specific software for enabling the TPM. 2. Create a System Center 2012 Configuration Manager application that contains the software in the previous step. 3. Distribute the application to the distribution points. 4. Deploy the application to the appropriate user or device collections. Step 3: Share the installation content When you create a System Center 2012 Configuration Manager application, you must specify a source for the application content. The source must be a network share that is accessible to System Center 2012 Configuration Manager, because System Center 2012 Configuration Manager uses the contents of the source folder to create the application. To create and share a folder for the MBAM client installation content 1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and MBAM_Client_Setup is the name of the folder you are creating to contain the MBAM client installation files. 2. Configure NTFS file system permissions for the folder MBAM_Client_ Setup, as Table 13 describes. To configure NTFS file system permissions, right-click the folder, click Properties, and then click Advanced on the Security tab.




Permissions

Applies to

Administrators

Full control


Site_Server_Account

Read and Execute




Permissions

Administrators

Full control

Site_Server_Account

Full control

4. Copy the \MBAM\Installers\2.0folder structure from the MBAM distribution media to \\SERVER\MBAM Client Setup. The \MBAM\Installers\2.0folder structure includes the x64 and x86 folders, which contain the 64-bit and 32-bit versions of the MBAM client, respectively. Copy the entire \MBAM\Installers\2.0\folder structure so that both versions are available for deployment. Step 4: Create the MBAM client application When you create a System Center 2012 Configuration Manager application, you must specify the command that installs it. Although you could run MbamClientSetup.exe to install the MBAM client, MBAMClient.msi requires less effort because of automatic detection of product codes and



other application settings. Creating applications in System Center 2012 Configuration Manager is based on MSI files, which: 

Allow System Center 2012 Configuration Manager to detect whether the application is already installed



Use a well-known System Center 2012 Configuration Manager deployment type



Simplify the ongoing management of the MBAM client by simplifying updates

To create the MBAM client application in System Center 2012 Configuration Manager 1. In the Configuration Manager console, click the Software Library workspace. 2. In the Software Library workspace, click Applications in Overview\Application Management. 3. In the Create group on the Ribbon, click Create Application. 4. Complete each page of the Create Application Wizard:

Page

Steps

General

1. Click Manually specify the application information. 2. Click Next.



Page

Steps

General: General Information

1. In the Name box, type MBAM Client. 2. Select the Allow this application to be installed from the Install Application task sequence action without being deployed check box. Selecting this check box allows you to use task sequence variables to install the MBAM client. 3. Click Next. The remaining text boxes on this page are optional and informational. Although they do not affect the deployment of the MBAM client, completing them can prove useful later when you are maintaining the deployment share.

General: Application Catalog

1. Click Next.

General: Deployment Types

1. Click Add to add a deployment type for the 64-bit version of the MBAM client (MBAMClient.msi in the \MBAM\Installers\2.0\x64 folder).

The text boxes on this page are optional and prompt for information that you want to display in the application catalog. However, this deployment guide recommends that you hide the MBAM client from the application catalog.

2. On the General page of the Create Deployment Type Wizard, click Browse, open MBAMClient.msi from the location in which you shared the installation sources (e.g., \\SERVER\MBAM_Client_Setup), and then click Next. 3. On the Import Information page of the Create Deployment Type Wizard, click Next. 4. On the General Information page of the Create


Page


Steps Deployment Type Wizard, perform the following steps: a. In the Name box, append x64 to the end of the name for easier identification later. b. In the Installation program box, add /q to the end of the command. c. Click Next. 5. On the Requirements page of the Create Deployment Type Wizard, perform the following steps: a. Click Add. b. Click Operating system in the Condition list. c. In the operating system list, select All Windows 7 (64-bit) and All Windows 8 (64-bit). (Select the 64-bit operating systems that you want to support.) d. Click OK. e. Click Next. 6. On the Dependencies page of the Create Deployment Type Wizard, click Next. 7. On the Summary page of the Create Deployment Type Wizard, review the deployment type details, and then click Next. 8. On the Completion page of the Create Deployment Type Wizard, click Close. 9. Repeat steps 1 through 8 on this page for the 32-bit version of the MBAM client (MBAMClient.msi in the \MBAM\Installers\2.0\x86), and then click Next.



Page

Steps

Summary

1. In the Details area, review the information that the Create Application Wizard collected, and then click Next.

Progress

1. Monitor the progress of the Create Application Wizard while it creates the application.

Completion

1. Verify that the Create Application Wizard finished successfully, and then click Close.

If you decided to automatically enable the TPM by using a script or software in Step 2: Enable the TPM on targeted devices, make certain you set the application created in that step as a dependency for the deployment type for the application created in this step. For more information on creating System Center 2012 Configuration Manager application dependencies, see Step 7: Specify Dependencies for the Deployment Type on TechNet.

Step 5: Distribute the MBAM client application After creating the MBAM client application in System Center 2012 Configuration Manager, you must distribute the application content to your distribution points. Targeted computers install the MBAM client from the distribution points. You use the Distribute Content Wizard in the Configuration Manager console to distribute the MBAM client application. To distribute the MBAM client System Center 2012 Configuration Manager application 1. In the results pane, click MBAM Client. 2. In the Deployment group on the Ribbon, click Distribute Content.



3. Complete each page of the Distribute Content Wizard:

Page

Steps

General

1. Click Next.

General: Content

1. Click Next.

General: Content Destination

1. Click Add, and then click Distribution Point. 2. In the Add Distribution Points dialog box, select the distribution points to which you want to distribute the MBAM client installation content, and then click OK. 3. Click Next.

Summary

1. In the Details area, review the information that the Distribute Content Wizard collected, and then click Next.

Progress

1. Monitor the progress of the Distribute Content Wizard while it distributes the MBAM client installation content.

Completion

1. Verify that the Distribute Content Wizard finished successfully, and then click Close.

After completing the Distribute Content Wizard, verify successful distribution of the installation content before continuing to deploy the MBAM client application. To do so, click Refresh in the Application area of the Ribbon. Click MBAM Client in the results pane to see the distribution status on the Summary tab at the bottom. When the content status shows that content distribution is successful, you can deploy the MBAM client application.



Step 6: Deploy the MBAM client application You can deploy the MBAM client application to users or devices. Because the agent is computercentric, Microsoft recommends that you deploy it to computer collections—not user collections. You use the Deploy Software Wizard in the Configuration Manager console to deploy the MBAM client application after you have successfully distributed it. To deploy the MBAM client System Center 2012 Configuration Manager application 1. In the results pane, click MBAM Client. 2. In the Deployment group on the Ribbon, click Deploy. 3. Complete each page of the Deploy Software Wizard:

Page

Steps

General

1. Click Browse next to the Collection box. 2. In the Select Collection dialog box, click Device Collections on the left side; on the right side, click a device collection to which you want to deploy the MBAM client, and then click OK. 3. Click Next. You can choose one of the built-in collections or your own collection. For more information about creating collections in System Center 2012 Configuration Manager, see the TechNet article, How to Create Collections in Configuration Manager.

Content

1. Click Next.



Page

Steps

Deployment Settings

1. In the Purpose list, click Required. 2. Click Next. Selecting Required in the Purpose list forces installation of the MBAM client application on targeted computers. System Center 2012 Configuration Manager also reinstalls the agent if users remove it.

Scheduling

1. Click Next.

User Experience

1. In the User notifications list, click Hide in Software Center and all notifications. 2. Click Next. Selecting Hide in Software Center and all notifications prevents System Center 2012 Configuration Manager from notifying users about the installation of the MBAM client. This recommended setting prevents any user interaction or interference with deployment.

Alerts

1. Click Next.

Summary

1. In the Details area, review the information that the Deploy Software Wizard collected, and then click Next.

Progress

1. Monitor the progress of the Deploy Software Wizard while it deploys the MBAM client application.



Page

Steps

Completion

1. Verify that the Deploy Software Wizard finished successfully, and then click Close.

Scripted installation If you do not use MDT or System Center 2012 Configuration Manager to deploy applications in your environment and you do not want to use Group Policy software installation, you can script installation by using batch scripts, Windows PowerShell scripts, and so on. With this technique, you are essentially performing a command-line installation. You can use the same technique to install the MBAM client by using any non-Microsoft ESD system. The following sections describe the steps necessary to complete each task: 1. Ensure that the partitions on the targeted devices are configured for BitLocker. 2. Enable the TPM on targeted devices (if not already enabled). 3. Create and share a folder containing the MBAM client installation files. 4. Run MbamClientSetup.exe from the network share containing the installation files. Step 1: Ensure that partitions on targeted devices are configured for BitLocker Before you can use MBAM, you need to ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. Because this section focuses on deploying the MBAM client on existing devices, the deployment is always performed on devices where the operating system has been deployed. Ensure that the partitions on the targeted devices are configured properly for BitLocker deployment as described in the section, BitLocker partition configuration requirements, in this guide.




Step 2: Enable the TPM on targeted devices Before you deploy the MBAM client to the targeted devices, enable the TPM on them. You can manually enable the TPM on the targeted devices or automate the process by using scripts or software. The scripts or software for enabling the TPM are different for each device manufacturer and sometimes even different across models within a device manufacturer. To automatically enable the TPM by using scripts or software 1. Create a network shared folder that contains the vendor-specific software for enabling the TPM. 2. Create a batch file or script that runs the software in the previous step. 3. Ensure that you run the software to enable the TPM prior to running MbamClientSetup.exe and installing the MBAM client. Step 3: Share the installation files Create a network share that contains the MBAM client installation files. This network share must be accessible to all computers on which you want to install the MBAM client. You can give Read access to the Domain Computers group or to the Authenticated Users group. To create and share a folder for the MBAM client installation files 1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and MBAM_Client_Setup is the name of the folder you are creating to contain the MBAM client installation files. 2. Configure NTFS file system permissions for the folder MBAM_Client_Setup, as Table 15 describes.



To configure NTFS file system permissions, right-click the folder, click Properties, and then click Advanced on the Security tab.


Permissions

Applies to

Administrators

Full control


Authenticated Users

Read and Execute


3. Share the folder MBAM_Client_ Setup by using the permissions that Table 16 describes. To configure share permissions, right-click the folder, click Properties, and then click the Sharing tab.


Permissions

Authenticated Users

Read

4. Copy the \MBAM\Installers\2.0folder structure from the MBAM distribution media to \\SERVER\MBAM Client Setup. The \MBAM\Installers\2.0folder structure includes the x64 and x86 folders, which contain the 64-bit and 32-bit versions of the MBAM client, respectively. Copy the entire \MBAM\Installers\2.0 folder structure so that both versions are available for deployment. Step 4: Run MbamClientSetup.exe For a scripted installation, the command you use to install the MBAM client must include the /q command-line option to perform an unattended installation. This option runs MbamClientSetup.exe with no user interaction, as shown in the following example. If you do not



include this command-line option, the Setup program stalls the deployment process to wait for user interaction. MbamClientSetup.exe /q

You must run the 64-bit or 32-bit version of MbamClientSetup.exe, based on the target operating system version.

Installing the MBAM client remotely You must install the MBAM client from an elevated command prompt. Therefore, users with restricted accounts cannot run scripts that install the MBAM client. A variety of tools and techniques are available to work around this limitation. Examples include: 

Use Windows PowerShell Remoting to run the MBAM client Setup program on a list of remote computers. For more information about Windows PowerShell Remoting, see the TechNet article, Running Remote Commands.



Use the Windows Sysinternals PsExec tool to run processes remotely with specific credentials. For more information about PsExec and the other amazing tools in the Sysinternals toolset, see the TechNet article, PsTools.



Use Group Policy preferences to schedule a job in Task Scheduler that runs the Microsoft User Experience Virtualization Agent installation on targeted computers with credentials that you specify in the task. For more information about scheduling tasks by using Group Policy preferences, see the TechNet article, Configure a Scheduled Task Item.

In addition, many non-Microsoft tools are available to script the installation of programs that require elevated permissions. Many of them are free or have a nominal cost.


| VALIDATING THE MBAM INFRASTRUCTURE

75

Validating the MBAM infrastructure After deploying the MBAM server and client, verify that the MBAM infrastructure is working properly. You can validate the MBAM infrastructure by performing some common BitLocker management tasks in MBAM. For more information about how to perform BitLocker management tasks by using MBAM, see the section, “Performing BitLocker Management with MBAM,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.

Use the MBAM Self-Service Portal to regain access to a device You can prevent users from accessing their BitLocker-enabled devices if they forget their password or PIN, changed operating system files, changed the BIOS, or changed the TPM. Users can regain access to their device without assistance from the help desk by using the MBAM SelfService Portal. To use the MBAM Self-Service Portal to regain access to a device 1. In Internet Explorer, browse to the MBAM Self-Service Portal. 2. In Recovery KeyId, enter a minimum of eight digits from the 32-digit BitLocker Key ID displayed on the BitLocker recovery page of the inaccessible device. 3. In Reason, select a reason for the recovery key request, and then click Get Key. The MBAM Self-Service Portal obtains and displays the 48-digit BitLocker recovery key in Your BitLocker Recovery Key. 4. Enter the 48-digit BitLocker recovery key on the BitLocker recovery page on the inaccessible device. 5. The device can now be successfully started. For more information about how to regain access to a device by using the MBAM SelfService Portal and other BitLocker management tasks that you can perform, see the section, “Performing BitLocker Management with MBAM,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.



76

Determine the BitLocker encryption state of lost or stolen devices A common concern for most organizations is the loss or theft of a device that contains sensitive information. A BitLocker-protected device helps prevent unauthorized users from accessing the sensitive information on such a device. IT pros can determine which volumes on a device are protected and better assess the risk associated with the loss or theft of the device. To determine the BitLocker encryption state of lost or stolen devices 1. In Internet Explorer, browse to the MBAM website. 2. In the navigation pane, in the Report node, click Computer Compliance Report. 3. In the results pane, select the appropriate filter fields to narrow the search results, and then click Search. Search results are shown in the list box below. Device protection is determined by the deployed BitLocker policies, which reflect the BitLocker encryption state of a device. For more information about how to determine the BitLocker encryption state of a device by using MBAM and other BitLocker management tasks that you can perform by using MBAM, see the section, “Performing BitLocker Management with MBAM,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.



77

Use a help desk portal to reset a TPM lockout You can prevent users from accessing their BitLocker-enabled device if they enter an incorrect PIN too many times, which results in a TPM lockout. The number of times a user can enter an incorrect PIN before the TPM locks varies by manufacturer. You can help users regain access to their devices by using the MBAM Help Desk Portal to reset the TPM lockout.

You can reset a TPM lockout only if MBAM was used to initially provision the TPM. If the TPM was provisioned prior to MBAM deployment, the TPM data may be stored in AD DS if the appropriate Group Policy settings were configured and you cannot reset a TPM lockout by using MBAM.

To use the MBAM administration website to reset a TPM lockout 1. In Internet Explorer, browse to the MBAM administration website. 2. In the navigation pane, click Manage TPM. 3. Enter the following information, and then click Submit: 

Fully qualified domain name of the locked device



Computer name of the locked device



Windows logon domain for the user



User name of the user



Reason for requesting the TPM owner password file

The MBAM Help Desk Portal returns one of the following results: 

The TPM owner password file for the device



A message indicating that no matching TPM owner password file was found

4. Click Save. Doing so saves the TPM owner password file.



78

5. Run the TPM management console, select the Reset TPM lockout option, and provide the TPM owner password file to reset the TPM lockout.

The TPM hash value and TPM owner password should only be used by authorized help desk and support personnel for the purpose of resolving a TPM lockout scenario. Microsoft does not recommend providing this information directly to users, because the TPM information does not change and could pose a security risk if the information does not remain secure.

For more information about how to reset a TPM lockout and other BitLocker management tasks that you can perform with MBAM, see the section, “Performing BitLocker Management with MBAM,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.


| CONCLUSION 79

Conclusion Deploying MBAM can be easy and requires minimal updates to your existing infrastructure. You can deploy the MBAM server components in a stand-alone topology or, if you want to integrate with an existing System Center Configuration Manager infrastructure, a Configuration Manager topology. In either case, you can evaluate MBAM on a single server or deploy the MBAM server components in your production environment on multiple servers so that you can scale to a size appropriate for your organization. With the infrastructure in place, you can use highly automated processes such as Group Policy, MDT, System Center Configuration Manager, or scripted installation methods to deploy the MBAM client and provision BitLocker on user devices. From there, use the MBAM Group Policy

template to provide ongoing management of the MBAM client. Download MBAM today to evaluate its deployment in your organization. MBAM is part of MDOP, and MDOP is available to TechNet subscribers and MSDN subscribers. MDOP is also available for purchase if you have Software Assurance on Windows client (including Windows Intune subscribers). For more information about MBAM, see: 

The Microsoft Desktop Optimization Pack website to learn more about its business benefits



The Microsoft BitLocker Administration and Monitoring content on TechNet for technical information, including videos that provide an overview and demonstrate how to set up and configure MBAM

MBAM Deployment Guide

Recommend Documents